shinobu/router: Dynamically allow ntp for iot

This commit is contained in:
Simon Bruder 2023-10-18 23:09:49 +02:00
parent 3f9e9e15e9
commit 315cc1b50c
Signed by: simon
GPG key ID: 8D3C82F9F309F8EC
3 changed files with 28 additions and 1 deletions

View file

@ -42,6 +42,11 @@ in
]) ])
cfg.vlan); cfg.vlan);
nftset = [
"/pool.ntp.org/4#filter#iot_ntp4"
"/pool.ntp.org/6#filter#iot_ntp6" # does not work
];
server = [ server = [
"127.0.0.1#5053" "127.0.0.1#5053"
]; ];

View file

@ -3,6 +3,16 @@ define PHYSICAL_WAN = "enp1s0"
define NAT_WAN_IFACES = { $PHYSICAL_WAN } define NAT_WAN_IFACES = { $PHYSICAL_WAN }
table inet filter { table inet filter {
# These two sets are dynamically managed by dnsmasq
set iot_ntp4 {
type ipv4_addr
comment "IPv4 addresses of resolved NTP servers"
}
set iot_ntp6 {
type ipv6_addr
comment "IPv6 addresses of resolved NTP servers"
}
chain forward { chain forward {
type filter hook forward priority filter; policy drop type filter hook forward priority filter; policy drop
@ -18,7 +28,8 @@ table inet filter {
iifname $VLAN_BRIDGES oifname "br-lan" ct state established,related counter accept iifname $VLAN_BRIDGES oifname "br-lan" ct state established,related counter accept
iifname "br-iot" ip daddr 167.235.30.249 tcp dport 1883 counter accept # FIXME migrate service to shinobu iifname "br-iot" ip daddr 167.235.30.249 tcp dport 1883 counter accept # FIXME migrate service to shinobu
iifname "br-iot" udp dport 123 counter accept # FIXME too generic iifname "br-iot" ip daddr @iot_ntp4 udp dport 123 counter accept
iifname "br-iot" ip6 daddr @iot_ntp6 udp dport 123 counter accept
iifname $NAT_WAN_IFACES oifname "br-iot" ct state established,related counter accept iifname $NAT_WAN_IFACES oifname "br-iot" ct state established,related counter accept
} }
} }

View file

@ -46,4 +46,15 @@ in
patches = [ ]; patches = [ ];
}); });
# TODO 23.11: Remove
dnsmasq = prev.dnsmasq.overrideAttrs (o: rec {
preBuild = o.preBuild + ''
makeFlagsArray[0]="''${makeFlagsArray[0]} -DHAVE_NFTSET"
'';
buildInputs = o.buildInputs ++ (with prev; [
nftables
]);
});
} }