From c0950e0d3930dd405dc198a4b922a6a91072a313 Mon Sep 17 00:00:00 2001 From: Asyncnomi Date: Tue, 22 Jul 2025 00:53:04 +0200 Subject: [PATCH] fix mesh filtering --- shared/commons/nftables.nix | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/shared/commons/nftables.nix b/shared/commons/nftables.nix index dde5c72..26f0491 100644 --- a/shared/commons/nftables.nix +++ b/shared/commons/nftables.nix @@ -1,13 +1,16 @@ -{ lib, ... }: +{ config, lib, ... }: let # Import nodes nodes = import ./../../nodes.nix; - myPeer = nodes."${config.hostName}"; + myName = config.hostName; + + # Import mapping + mapping = import ./../../mapping.nix; meshUdpRange = "51000-${toString (51000 + builtins.head ( builtins.sort (a: b: a > b) ( - l ib.mapAttrsToList (name: node: node.id) nodes)))}"; + lib.mapAttrsToList (name: node: node.id) nodes)))}"; in { networking = { @@ -49,7 +52,7 @@ in # Mesh udp dport ${meshUdpRange} accept - ${if lib.elem myPeer mapping.bastion then '' + ${if lib.elem myName mapping.bastion then '' # Mgmt udp dport 51920 accept '' else ""} @@ -65,7 +68,12 @@ in ct state related,established accept ct state invalid counter drop - iifname mgmt oifname mesh accept + ${if lib.elem myName mapping.bastion then '' + iifname mgmt oifname mesh* accept + '' else ""} + + # Allow mesh bounces + iifname mesh* oifname mesh* accept } chain output { type filter hook output priority 0; policy accept;