From d0d92b9100828483b01bc57ca336ef9c32f83cd1 Mon Sep 17 00:00:00 2001 From: Astro Date: Tue, 12 Mar 2024 01:15:56 +0100 Subject: [PATCH] Add modules/firewall to allow bgp on ifaces --- checks/two-peers.nix | 2 -- modules/default.nix | 4 ++++ modules/firewall.nix | 25 +++++++++++++++++++++++++ 3 files changed, 29 insertions(+), 2 deletions(-) create mode 100644 modules/firewall.nix diff --git a/checks/two-peers.nix b/checks/two-peers.nix index b16e5e0..18e1f1d 100644 --- a/checks/two-peers.nix +++ b/checks/two-peers.nix @@ -48,7 +48,6 @@ pkgs.nixosTest rec { prefixLength = 64; } ]; }; - networking.firewall.enable = false; }; bar = { imports = [ ../modules ]; @@ -94,7 +93,6 @@ pkgs.nixosTest rec { prefixLength = 64; } ]; }; - networking.firewall.enable = false; }; }; diff --git a/modules/default.nix b/modules/default.nix index 48d5935..9e1eb0a 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -3,6 +3,10 @@ let cfg = config.networking.dn42; in { + imports = [ + ./firewall.nix + ]; + options.networking.dn42 = { enable = lib.mkEnableOption "Whether to enable dn42 integration."; diff --git a/modules/firewall.nix b/modules/firewall.nix new file mode 100644 index 0000000..2edfcaf --- /dev/null +++ b/modules/firewall.nix @@ -0,0 +1,25 @@ +{ config, lib, ... }: +let + enable = config.networking.dn42.enable && config.networking.firewall.enable; + +in +{ + # Allow BGP on peering interfaces + # TODO: these should actually only additionally filter for peer's + # addresses, but there is no NixOS option for that. + networking.firewall.interfaces = lib.mkIf enable ( + builtins.listToAttrs ( + map (interface: { + name = interface; + value.allowedTCPPorts = [ + # BGP + 179 + ]; + }) ( + map ({ interface, ... }: interface) ( + builtins.attrValues config.networking.dn42.peers + ) + ) + ) + ); +}