Skip to content

nixos/wireguard: set networking.firewall.allowedUDPPorts automatically#60124

Closed
spacekookie wants to merge 1 commit intoNixOS:masterfrom
spacekookie:wireguard-automatic-firewall
Closed

nixos/wireguard: set networking.firewall.allowedUDPPorts automatically#60124
spacekookie wants to merge 1 commit intoNixOS:masterfrom
spacekookie:wireguard-automatic-firewall

Conversation

@spacekookie
Copy link
Member

@spacekookie spacekookie commented Apr 23, 2019

Motivation for this change

This changes the wireguard module to automatically add the provided
listenPort for an interface to the list of allowed udp ports in the
firewall. This means that users don't have to do this themselves when
configuring a wireguard server.
It also adjusts the wireguard test to not rely on explicitly-set
firewall ports

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nix-review --run "nix-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Assured whether relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@spacekookie spacekookie requested a review from infinisil as a code owner April 23, 2019 21:37
@spacekookie spacekookie force-pushed the wireguard-automatic-firewall branch 2 times, most recently from cc75535 to e72eeea Compare April 23, 2019 21:40
@spacekookie
nixos/wireguard: set networking.firewall.allowedUDPPorts automatically
50d62e2 
This changes the wireguard module to automatically add the provided
`listenPort` for an interface to the list of allowed udp ports in the
firewall. This means that users don't have to do this themselves when
configuring a wireguard server.
@grahamc
Copy link
Member

grahamc commented Apr 23, 2019

We typically don't want to do this, with the notable exception of openssh. This is because it is easy for users to add this configuration setting, but difficult for users to remove it. I would personally prefer we not do this, even though I do understand that it makes common case configuration easier.

@spacekookie spacekookie force-pushed the wireguard-automatic-firewall branch from e72eeea to 50d62e2 Compare April 23, 2019 21:40
@alyssais
Copy link
Member

alyssais commented Apr 23, 2019

When would you want to set a listen port, but not make it accessible?

@ofborg ofborg bot added 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` labels Apr 23, 2019
@grahamc
Copy link
Member

grahamc commented Apr 23, 2019

For example, I might want to make it accessible on some interfaces but not others.

@ofborg ofborg bot added 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 10.rebuild-linux: 0 This PR does not cause any packages to rebuild on Linux. labels Apr 23, 2019
@alyssais
Copy link
Member

alyssais commented Apr 23, 2019 via email

@spacekookie
Copy link
Member Author

spacekookie commented Apr 24, 2019

We typically don't want to do this, with the notable exception of openssh. This is because it is easy for users to add this configuration setting, but difficult for users to remove it. I would personally prefer we not do this, even though I do understand that it makes common case configuration easier.

Alright, yea that makes sense.

I couldn't find any issues/ PRs where this rationale had been pointed out explicitly before. So I guess this is now documentation 😅

@spacekookie spacekookie deleted the wireguard-automatic-firewall branch May 11, 2019 18:43
@spacekookie spacekookie restored the wireguard-automatic-firewall branch May 11, 2019 18:43
@flokli flokli mentioned this pull request Jun 5, 2019
Merged
10 tasks
@Ma27 Ma27 mentioned this pull request Aug 10, 2020
Closed
11 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@infinisil infinisil Awaiting requested review from infinisil

Assignees

No one assigned

Labels

6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 10.rebuild-linux: 0 This PR does not cause any packages to rebuild on Linux.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@spacekookie @grahamc @alyssais