Skip to content
Permalink
Browse files

firewall: support multicast

  • Loading branch information
peterhoeg committed Jan 7, 2019
1 parent eebd1a9 commit bf73d405fa2ca2c137745f544bdb2ad9852889b9
Showing with 29 additions and 5 deletions.
  1. +29 −5 nixos/modules/services/networking/firewall.nix
@@ -188,9 +188,15 @@ let
) cfg.allowedUDPPortRanges
) allInterfaces)}
# Accept IPv4 multicast. Not a big security risk since
# probably nobody is listening anyway.
#iptables -A nixos-fw -d 224.0.0.0/4 -j nixos-fw-accept
${optionalString cfg.allowBroadcast ''
# Accept broadcast.
ip46tables -A nixos-fw -m pkttype --pkt-type broadcast -j nixos-fw-accept
''}
${optionalString cfg.allowMulticast ''
# Accept multicast.
ip46tables -A nixos-fw -m pkttype --pkt-type multicast -j nixos-fw-accept
''}
# Optionally respond to ICMPv4 pings.
${optionalString cfg.allowPing ''
@@ -267,7 +273,7 @@ let
default = [ ];
example = [ 22 80 ];
description =
''
''
List of TCP ports on which incoming connections are
accepted.
'';
@@ -278,7 +284,7 @@ let
default = [ ];
example = [ { from = 8999; to = 9003; } ];
description =
''
''
A range of TCP ports on which incoming connections are
accepted.
'';
@@ -395,6 +401,24 @@ in
'';
};

allowBroadcast = mkOption {
type = types.bool;
default = false;
description =
''
Whether to allow broadcast traffic.
'';
};

allowMulticast = mkOption {
type = types.bool;
default = false;
description =
''
Whether to allow multicast traffic.
'';
};

pingLimit = mkOption {
type = types.nullOr (types.separatedString " ");
default = null;

0 comments on commit bf73d40

Please sign in to comment.
You can’t perform that action at this time.