From 24d9151d15168867b87669ee663e4d15a23ded91 Mon Sep 17 00:00:00 2001 From: Nuno Alves Date: Mon, 27 Nov 2023 19:00:14 +0000 Subject: [PATCH] nixos/keepalived: add openFirewall option Allow VRRP and AH (authentication packets) through the firewall automatically if the option is set. --- .../networking/keepalived/default.nix | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/nixos/modules/services/networking/keepalived/default.nix b/nixos/modules/services/networking/keepalived/default.nix index 29fbea5545c3..429a47c3962c 100644 --- a/nixos/modules/services/networking/keepalived/default.nix +++ b/nixos/modules/services/networking/keepalived/default.nix @@ -150,6 +150,14 @@ in ''; }; + openFirewall = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc '' + Whether to automatically allow VRRP and AH packets in the firewall. + ''; + }; + enableScriptSecurity = mkOption { type = types.bool; default = false; @@ -282,6 +290,19 @@ in assertions = flatten (map vrrpInstanceAssertions vrrpInstances); + networking.firewall = lib.mkIf cfg.openFirewall { + extraCommands = '' + # Allow VRRP and AH packets + ip46tables -A nixos-fw -p vrrp -m comment --comment "services.keepalived.openFirewall" -j ACCEPT + ip46tables -A nixos-fw -p ah -m comment --comment "services.keepalived.openFirewall" -j ACCEPT + ''; + + extraStopCommands = '' + ip46tables -D nixos-fw -p vrrp -m comment --comment "services.keepalived.openFirewall" -j ACCEPT + ip46tables -D nixos-fw -p ah -m comment --comment "services.keepalived.openFirewall" -j ACCEPT + ''; + }; + systemd.timers.keepalived-boot-delay = { description = "Keepalive Daemon delay to avoid instant transition to MASTER state"; after = [ "network.target" "network-online.target" "syslog.target" ];