shinobu/router: Dynamically allow ntp for iot

machines/shinobu/services/router/dnsmasq.nix

@@ -42,6 +42,11 @@ in
         ])
         cfg.vlan);
 
+      nftset = [
+        "/pool.ntp.org/4#filter#iot_ntp4"
+        "/pool.ntp.org/6#filter#iot_ntp6" # does not work
+      ];
+
       server = [
         "127.0.0.1#5053"
       ];

machines/shinobu/services/router/rules.nft

@@ -3,6 +3,16 @@ define PHYSICAL_WAN = "enp1s0"
 define NAT_WAN_IFACES = { $PHYSICAL_WAN }
 
 table inet filter {
+	# These two sets are dynamically managed by dnsmasq
+	set iot_ntp4 {
+		type ipv4_addr
+		comment "IPv4 addresses of resolved NTP servers"
+	}
+	set iot_ntp6 {
+		type ipv6_addr
+		comment "IPv6 addresses of resolved NTP servers"
+	}
+
 	chain forward {
 		type filter hook forward priority filter; policy drop
 
@@ -18,7 +28,8 @@ table inet filter {
 		iifname $VLAN_BRIDGES oifname "br-lan" ct state established,related counter accept
 
 		iifname "br-iot" ip daddr 167.235.30.249 tcp dport 1883 counter accept # FIXME migrate service to shinobu
-		iifname "br-iot" udp dport 123 counter accept # FIXME too generic
+		iifname "br-iot" ip daddr @iot_ntp4 udp dport 123 counter accept
+		iifname "br-iot" ip6 daddr @iot_ntp6 udp dport 123 counter accept
 		iifname $NAT_WAN_IFACES oifname "br-iot" ct state established,related counter accept
 	}
 }

pkgs/default.nix

@@ -46,4 +46,15 @@ in
 
     patches = [ ];
   });
+
+  # TODO 23.11: Remove
+  dnsmasq = prev.dnsmasq.overrideAttrs (o: rec {
+    preBuild = o.preBuild + ''
+      makeFlagsArray[0]="''${makeFlagsArray[0]} -DHAVE_NFTSET"
+    '';
+
+    buildInputs = o.buildInputs ++ (with prev; [
+      nftables
+    ]);
+  });
 }