diff --git a/machines/shinobu/services/router/dnsmasq.nix b/machines/shinobu/services/router/dnsmasq.nix index b462b13..12fd09a 100644 --- a/machines/shinobu/services/router/dnsmasq.nix +++ b/machines/shinobu/services/router/dnsmasq.nix @@ -42,6 +42,11 @@ in ]) cfg.vlan); + nftset = [ + "/pool.ntp.org/4#filter#iot_ntp4" + "/pool.ntp.org/6#filter#iot_ntp6" # does not work + ]; + server = [ "127.0.0.1#5053" ]; diff --git a/machines/shinobu/services/router/rules.nft b/machines/shinobu/services/router/rules.nft index 5a86b08..f551897 100644 --- a/machines/shinobu/services/router/rules.nft +++ b/machines/shinobu/services/router/rules.nft @@ -3,6 +3,16 @@ define PHYSICAL_WAN = "enp1s0" define NAT_WAN_IFACES = { $PHYSICAL_WAN } table inet filter { + # These two sets are dynamically managed by dnsmasq + set iot_ntp4 { + type ipv4_addr + comment "IPv4 addresses of resolved NTP servers" + } + set iot_ntp6 { + type ipv6_addr + comment "IPv6 addresses of resolved NTP servers" + } + chain forward { type filter hook forward priority filter; policy drop @@ -18,7 +28,8 @@ table inet filter { iifname $VLAN_BRIDGES oifname "br-lan" ct state established,related counter accept iifname "br-iot" ip daddr 167.235.30.249 tcp dport 1883 counter accept # FIXME migrate service to shinobu - iifname "br-iot" udp dport 123 counter accept # FIXME too generic + iifname "br-iot" ip daddr @iot_ntp4 udp dport 123 counter accept + iifname "br-iot" ip6 daddr @iot_ntp6 udp dport 123 counter accept iifname $NAT_WAN_IFACES oifname "br-iot" ct state established,related counter accept } } diff --git a/pkgs/default.nix b/pkgs/default.nix index 538fe79..d9c3074 100644 --- a/pkgs/default.nix +++ b/pkgs/default.nix @@ -46,4 +46,15 @@ in patches = [ ]; }); + + # TODO 23.11: Remove + dnsmasq = prev.dnsmasq.overrideAttrs (o: rec { + preBuild = o.preBuild + '' + makeFlagsArray[0]="''${makeFlagsArray[0]} -DHAVE_NFTSET" + ''; + + buildInputs = o.buildInputs ++ (with prev; [ + nftables + ]); + }); }