diff options
| -rw-r--r-- | nixos/doc/manual/release-notes/rl-1903.xml | 11 | ||||
| -rw-r--r-- | nixos/modules/services/networking/firewall.nix | 19 |
2 files changed, 20 insertions, 10 deletions
diff --git a/nixos/doc/manual/release-notes/rl-1903.xml b/nixos/doc/manual/release-notes/rl-1903.xml index ceb26ba5affe..49f475913d8a 100644 --- a/nixos/doc/manual/release-notes/rl-1903.xml +++ b/nixos/doc/manual/release-notes/rl-1903.xml @@ -222,6 +222,17 @@ reset to the default value (<literal>false</literal>). </para> </listitem> + <listitem> + <para> + Network interface indiscriminate NixOS firewall options + (<literal>networking.firewall.allow*</literal>) are now preserved when also + setting interface specific rules such as <literal>networking.firewall.interfaces.en0.allow*</literal>. + These rules continue to use the pseudo device "default" + (<literal>networking.firewall.interfaces.default.*</literal>), and assigning + to this pseudo device will override the (<literal>networking.firewall.allow*</literal>) + options. + </para> + </listitem> </itemizedlist> </section> diff --git a/nixos/modules/services/networking/firewall.nix b/nixos/modules/services/networking/firewall.nix index 86463f276c65..aba64e4f60ff 100644 --- a/nixos/modules/services/networking/firewall.nix +++ b/nixos/modules/services/networking/firewall.nix @@ -58,6 +58,9 @@ let ${text} ''; in "${dir}/bin/${name}"; + defaultInterface = { default = mapAttrs (name: value: cfg."${name}") commonOptions; }; + allInterfaces = defaultInterface // cfg.interfaces; + startScript = writeShScript "firewall-start" '' ${helpers} @@ -154,7 +157,7 @@ let ip46tables -A nixos-fw -p tcp --dport ${toString port} -j nixos-fw-accept ${optionalString (iface != "default") "-i ${iface}"} '' ) cfg.allowedTCPPorts - ) cfg.interfaces)} + ) allInterfaces)} # Accept connections to the allowed TCP port ranges. ${concatStrings (mapAttrsToList (iface: cfg: @@ -164,7 +167,7 @@ let ip46tables -A nixos-fw -p tcp --dport ${range} -j nixos-fw-accept ${optionalString (iface != "default") "-i ${iface}"} '' ) cfg.allowedTCPPortRanges - ) cfg.interfaces)} + ) allInterfaces)} # Accept packets on the allowed UDP ports. ${concatStrings (mapAttrsToList (iface: cfg: @@ -173,7 +176,7 @@ let ip46tables -A nixos-fw -p udp --dport ${toString port} -j nixos-fw-accept ${optionalString (iface != "default") "-i ${iface}"} '' ) cfg.allowedUDPPorts - ) cfg.interfaces)} + ) allInterfaces)} # Accept packets on the allowed UDP port ranges. ${concatStrings (mapAttrsToList (iface: cfg: @@ -183,7 +186,7 @@ let ip46tables -A nixos-fw -p udp --dport ${range} -j nixos-fw-accept ${optionalString (iface != "default") "-i ${iface}"} '' ) cfg.allowedUDPPortRanges - ) cfg.interfaces)} + ) allInterfaces)} # Accept IPv4 multicast. Not a big security risk since # probably nobody is listening anyway. @@ -508,15 +511,11 @@ in }; interfaces = mkOption { - default = { - default = mapAttrs (name: value: cfg."${name}") commonOptions; - }; + default = { }; type = with types; attrsOf (submodule [ { options = commonOptions; } ]); description = '' - Interface-specific open ports. Setting this value will override - all values of the <literal>networking.firewall.allowed*</literal> - options. + Interface-specific open ports. ''; }; } // commonOptions; |