fix mesh filtering

2025-07-22 00:53:04 +02:00 · 2025-07-22 00:53:04 +02:00 · c0950e0d39
commit c0950e0d39
parent ff133ea171
1 changed files with 13 additions and 5 deletions
--- a/shared/commons/nftables.nix
+++ b/shared/commons/nftables.nix
@ -1,9 +1,12 @@
-{ lib, ... }:
+{ config, lib, ... }:

 let
    # Import nodes
    nodes = import ./../../nodes.nix;
-    myPeer = nodes."${config.hostName}";
+    myName = config.hostName;
+
+    # Import mapping
+    mapping = import ./../../mapping.nix;

    meshUdpRange = "51000-${toString (51000 + builtins.head (
        builtins.sort (a: b: a > b) (
@ -49,7 +52,7 @@ in
                            # Mesh
                            udp dport ${meshUdpRange} accept

-                            ${if lib.elem myPeer mapping.bastion then ''
+                            ${if lib.elem myName mapping.bastion then ''
                                # Mgmt
                                udp dport 51920 accept
                            '' else ""}
@ -65,7 +68,12 @@ in
                            ct state related,established accept
                            ct state invalid counter drop

-                            iifname mgmt oifname mesh accept
+                            ${if lib.elem myName mapping.bastion then ''
+                                iifname mgmt oifname mesh* accept
+                            '' else ""}
+
+                            # Allow mesh bounces
+                            iifname mesh* oifname mesh* accept
                        }
                        chain output {
                            type filter hook output priority 0; policy accept;