Author: eelco
Date: Wed Mar 9 16:37:16 2011
New Revision: 26236
URL: https://svn.nixos.org/websvn/nix/?rev=26236&sc=1
Log:
* Add an option for opening UDP ports.
* Accept packets destined for link-local addresses (fe80::/10).
Modified:
nixos/trunk/modules/services/networking/firewall.nix
Modified: nixos/trunk/modules/services/networking/firewall.nix
==============================================================================
--- nixos/trunk/modules/services/networking/firewall.nix Wed Mar 9
16:34:19 2011 (r26235)
+++ nixos/trunk/modules/services/networking/firewall.nix Wed Mar 9
16:37:16 2011 (r26236)
@@ -53,7 +53,7 @@
networking.firewall.allowedTCPPorts = mkOption {
default = [];
- example = [22 80];
+ example = [ 22 80 ];
type = types.list types.int;
description =
''
@@ -62,6 +62,16 @@
'';
};
+ networking.firewall.allowedUDPPorts = mkOption {
+ default = [];
+ example = [ 53 ];
+ type = types.list types.int;
+ description =
+ ''
+ List of open UDP ports.
+ '';
+ };
+
networking.firewall.allowPing = mkOption {
default = false;
type = types.bool;
@@ -131,6 +141,14 @@
) config.networking.firewall.allowedTCPPorts
}
+ # Accept packets on the allowed UDP ports.
+ ${concatMapStrings (port:
+ ''
+ ip46tables -A INPUT -p udp --dport ${toString port} -j ACCEPT
+ ''
+ ) config.networking.firewall.allowedUDPPorts
+ }
+
# Accept IPv4 multicast. Not a big security risk since
# probably nobody is listening anyway.
iptables -A INPUT -d 224.0.0.0/4 -j ACCEPT
@@ -138,6 +156,7 @@
# Accept IPv6 ICMP packets on the local link. Otherwise
# stuff like neighbor/router solicitation won't work.
ip6tables -A INPUT -s fe80::/10 -p icmpv6 -j ACCEPT
+ ip6tables -A INPUT -d fe80::/10 -p icmpv6 -j ACCEPT
# Optionally respond to pings.
${optionalString cfg.allowPing ''
_______________________________________________
nix-commits mailing list
[email protected]
http://mail.cs.uu.nl/mailman/listinfo/nix-commits
