summaryrefslogtreecommitdiffstats
path: root/tv/3modules
diff options
context:
space:
mode:
authorlassulus <lass@aidsballs.de>2016-06-30 09:16:10 +0200
committerlassulus <lass@aidsballs.de>2016-06-30 09:16:10 +0200
commit7550c663112c5a59e7c760c4b96c9bcc919fb175 (patch)
tree66ba4ef196bf81449a6a9ce26da23fc9eb77b353 /tv/3modules
parentf12578c66f8b7b829c0dec5255f358778c0d3366 (diff)
parent0c7a44139fba572487fe853310b6d88a6ffa21c3 (diff)
Merge remote-tracking branch 'cd/master'
Diffstat (limited to 'tv/3modules')
-rw-r--r--tv/3modules/iptables.nix24
1 files changed, 18 insertions, 6 deletions
diff --git a/tv/3modules/iptables.nix b/tv/3modules/iptables.nix
index c0e71f24d..4b1d1ef87 100644
--- a/tv/3modules/iptables.nix
+++ b/tv/3modules/iptables.nix
@@ -17,12 +17,22 @@ let
default = "retiolum";
};
- input-internet-accept-new-tcp = mkOption {
+ input-internet-accept-tcp = mkOption {
type = with types; listOf (either int str);
default = [];
};
- input-retiolum-accept-new-tcp = mkOption {
+ input-internet-accept-udp = mkOption {
+ type = with types; listOf (either int str);
+ default = [];
+ };
+
+ input-retiolum-accept-tcp = mkOption {
+ type = with types; listOf (either int str);
+ default = [];
+ };
+
+ input-retiolum-accept-udp = mkOption {
type = with types; listOf (either int str);
default = [];
};
@@ -83,8 +93,8 @@ let
ip4tables = "-p icmp -m icmp --icmp-type echo-request -j ACCEPT";
ip6tables = "-p ipv6-icmp -m icmp6 --icmpv6-type echo-request -j ACCEPT";
}."ip${toString iptables-version}tables";
- accept-new-tcp = port:
- "-p tcp -m tcp --dport ${port} -m conntrack --ctstate NEW -j ACCEPT";
+ accept-tcp = port: "-p tcp -m tcp --dport ${port} -j ACCEPT";
+ accept-udp = port: "-p udp -m udp --dport ${port} -j ACCEPT";
in
pkgs.writeText "tv-iptables-rules${toString iptables-version}" ''
*nat
@@ -112,13 +122,15 @@ let
"-i lo -j ACCEPT"
]
++ optional (cfg.accept-echo-request == "internet") accept-echo-request
- ++ map accept-new-tcp (unique (map toString cfg.input-internet-accept-new-tcp))
+ ++ map accept-tcp (unique (map toString cfg.input-internet-accept-tcp))
+ ++ map accept-udp (unique (map toString cfg.input-internet-accept-udp))
++ ["-i retiolum -j Retiolum"]
)}
${formatTable cfg.extra.filter}
${concatMapStringsSep "\n" (rule: "-A Retiolum ${rule}") ([]
++ optional (cfg.accept-echo-request == "retiolum") accept-echo-request
- ++ map accept-new-tcp (unique (map toString cfg.input-retiolum-accept-new-tcp))
+ ++ map accept-tcp (unique (map toString cfg.input-retiolum-accept-tcp))
+ ++ map accept-udp (unique (map toString cfg.input-retiolum-accept-udp))
++ {
ip4tables = [
"-p tcp -j REJECT --reject-with tcp-reset"