Skip to content

Commit

Permalink
fix: netoworking
Browse files Browse the repository at this point in the history
  • Loading branch information
NotAShelf authored and isabelroses committed Nov 13, 2023
1 parent 6b6456b commit 599d724
Show file tree
Hide file tree
Showing 7 changed files with 197 additions and 197 deletions.
6 changes: 3 additions & 3 deletions lib/default.nix
Original file line number Diff line number Diff line change
Expand Up @@ -13,16 +13,16 @@
in
(func defaultArgs) // functor;

# a modified version of NUR's dag type
dag = import' ./dag.nix;

builders = import' ./builders.nix {inherit inputs;};
services = import' ./services.nix;
validators = import' ./validators.nix;
helpers = import' ./helpers.nix;
hardware = import' ./hardware.nix;

# abstractions over networking functions
# dag library is a modified version of the one found in
# rycee's NUR repository
dag = import' ./networking/dag.nix;
firewall = import' ./networking/firewall.nix {inherit dag;};
namespacing = import' ./networking/namespacing.nix;

Expand Down
48 changes: 26 additions & 22 deletions lib/dag.nix → lib/networking/dag.nix
Original file line number Diff line number Diff line change
Expand Up @@ -8,30 +8,33 @@
# - the addition of the function `entryBefore` indicating a
# "wanted by" relationship.
{lib, ...}: let
inherit (lib) mkOption filterAttrs mapAttrsToList toposort mapAttrs any;
types = {
dagOf = subType:
types.attrsOf (types.submodule {
options = {
data = mkOption {
type = subType;
description = "Entry value.";
};
inherit (lib) mkOption filterAttrs mapAttrsToList toposort mapAttrs any types;

before = mkOption {
type = with lib.types; listOf str;
default = [];
description = "Entries to guarantee before.";
};
types' =
types
// {
dagOf = subType:
types.attrsOf (types.submodule {
options = {
data = mkOption {
type = subType;
description = "Entry value.";
};

before = mkOption {
type = types.listOf types.str;
default = [];
description = "Entries to guarantee before.";
};

after = mkOption {
type = with lib.types; listOf str;
default = [];
description = "Entries to guarantee after.";
after = mkOption {
type = types.listOf types.str;
default = [];
description = "Entries to guarantee after.";
};
};
};
});
};
});
};

dag = {
# Takes an attribute set containing entries built by
Expand Down Expand Up @@ -132,5 +135,6 @@
};
};
in {
inherit (dag) entryBefore entryBetween entryAfter entryAnywhere;
inherit (dag) entryBefore entryBetween entryAfter entryAnywhere topoSort;
inherit (types') dagOf;
}
60 changes: 38 additions & 22 deletions lib/networking/firewall.nix
Original file line number Diff line number Diff line change
@@ -1,16 +1,19 @@
{
lib,
dag,
lib,
...
}: let
inherit (lib) mkOption mkEnableOption optionalString concatMapStringsSep concatStringsSep filterAttrs types;
inherit (dag) dagOf topoSort;

mkTable = desc: body:
lib.mkOption {
default = {};
type = lib.types.submodule ({config, ...}: {
type = types.submodule ({config, ...}: {
options =
{
enable = lib.mkEnableOption desc;
objects = lib.mkOption {
enable = mkEnableOption desc;
objects = mkOption {
type = with lib.types; listOf str;
description = "Objects associated with this table.";
};
Expand All @@ -19,7 +22,7 @@

config = let
buildChainDag = chain:
lib.concatMapStringsSep "\n" ({
concatMapStringsSep "\n" ({
name,
data,
}: let
Expand All @@ -40,18 +43,19 @@
(
if builtins.length data.value == 1
then builtins.head values
else "{ ${lib.concatStringsSep ", " values} }"
else "{ ${concatStringsSep ", " values} }"
);
in ''
${protocol} ${field} ${value} ${policy} comment ${name}
'') ((dag.topoSort chain).result or (throw "Cycle in DAG"));
'') ((topoSort chain).result or (throw "Cycle in DAG"));
buildChain = chainType: chain:
lib.mapAttrsToList (chainName: chainDag: ''
chain ${chainName} {
type ${chainType} hook ${chainName} priority 0;
${buildChainDag chainDag}
}
'') (lib.filterAttrs (_: g: builtins.length (builtins.attrNames g) > 0) chain);
'') (filterAttrs (_: g: builtins.length (builtins.attrNames g) > 0) chain);
in {
objects = let
chains =
Expand All @@ -77,15 +81,16 @@
description = "Containers for chains, sets, and other stateful objects.";
};

mkChain = _: description:
lib.mkOption {
mkChain = family: description:
mkOption {
inherit description;
default = {};
type = dag.types.dagOf (lib.types.submodule {
type = dagOf (types.submodule {
options = {
protocol = lib.mkOption {
protocol = mkOption {
description = "Protocol to match.";
default = null;
type = with lib.types;
type = with types;
nullOr (either (enum [
"ether"
"vlan"
Expand All @@ -105,11 +110,11 @@
"comp"
])
str);
description = "Protocol to match.";
};
field = lib.mkOption {

field = mkOption {
default = null;
type = with lib.types;
type = with types;
nullOr (enum [
"dport"
"sport"
Expand All @@ -122,33 +127,44 @@
]);
description = "Value to match.";
};
value = lib.mkOption {

value = mkOption {
default = null;
type = with lib.types; let
type = with types; let
valueType = oneOf [port str];
in
nullOr (coercedTo valueType (v: [v]) (listOf valueType));
description = "Associated value.";
};
policy = lib.mkOption {
type = lib.types.enum [

policy = mkOption {
description = "What to do with matching packets.";
type = types.enum [
"accept"
"reject"
"drop"
"log"
];
description = "What to do with matching packets.";
};
};
});
};

mkRuleset = ruleset:
concatStringsSep "\n" (lib.mapAttrsToList (name: table:
optionalString (builtins.length table.objects > 0) ''
table ${name} nixos {
${concatStringsSep "\n" table.objects}
}
'')
ruleset);

mkIngressChain = mkChain "Process all packets before they enter the system";
mkPrerouteChain = mkChain "Process all packets entering the system";
mkInputChain = mkChain "Process packets delivered to the local system";
mkForwardChain = mkChain "Process packets forwarded to a different host";
mkOutputChain = mkChain "Process packets sent by local processes";
mkPostrouteChain = mkChain "Process all packets leaving the system";
in {
inherit mkTable mkIngressChain mkPrerouteChain mkInputChain mkForwardChain mkOutputChain mkPostrouteChain;
inherit mkTable mkRuleset mkIngressChain mkPrerouteChain mkInputChain mkForwardChain mkOutputChain mkPostrouteChain;
}
32 changes: 4 additions & 28 deletions modules/base/common/host/os/network/firewall/default.nix
Original file line number Diff line number Diff line change
Expand Up @@ -14,22 +14,10 @@ in {
./nftables.nix
];

config = let
check-results =
pkgs.runCommand "check-nft-ruleset" {
ruleset = pkgs.writeText "nft-ruleset" cfg.ruleset;
} ''
mkdir -p $out
${pkgs.nftables}/bin/nft -c -f $ruleset 2>&1 > $out/message \
&& echo false > $out/assertion \
|| echo true > $out/assertion
'';
in {
services = {
# enable opensnitch firewall
# inactive until opensnitch UI is opened
opensnitch.enable = true;
};
config = {
# enable opensnitch firewall
# inactive until opensnitch UI is opened
services.opensnitch.enable = true;

networking = {
firewall = {
Expand Down Expand Up @@ -63,17 +51,5 @@ in {
checkReversePath = mkForce false; # Don't filter DHCP packets, according to nixops-libvirtd
};
};

assertions = [
{
message = ''
Bad config:
${builtins.readFile "${check-results}/message"}
'';
assertion = import "${check-results}/assertion";
}
];

system.extraDependencies = [check-results]; # pin IFD as a system dependency
};
}
Loading

0 comments on commit 599d724

Please sign in to comment.