pyrox.dev
Merge pull request #270467 from nalves599/269944-keepalived-firewall
nixos/keepalived: add openFirewall option
+21
nixos/modules/services/networking/keepalived/default.nix
+21
nixos/modules/services/networking/keepalived/default.nix
···
150
'';
151
};
152
153
enableScriptSecurity = mkOption {
154
type = types.bool;
155
default = false;
···
281
config = mkIf cfg.enable {
282
283
assertions = flatten (map vrrpInstanceAssertions vrrpInstances);
284
285
systemd.timers.keepalived-boot-delay = {
286
description = "Keepalive Daemon delay to avoid instant transition to MASTER state";
···
150
'';
151
};
152
153
+
openFirewall = mkOption {
154
+
type = types.bool;
155
+
default = false;
156
+
description = lib.mdDoc ''
157
+
Whether to automatically allow VRRP and AH packets in the firewall.
158
+
'';
159
+
};
160
+
161
enableScriptSecurity = mkOption {
162
type = types.bool;
163
default = false;
···
289
config = mkIf cfg.enable {
290
291
assertions = flatten (map vrrpInstanceAssertions vrrpInstances);
292
+
293
+
networking.firewall = lib.mkIf cfg.openFirewall {
294
+
extraCommands = ''
295
+
# Allow VRRP and AH packets
296
+
ip46tables -A nixos-fw -p vrrp -m comment --comment "services.keepalived.openFirewall" -j ACCEPT
297
+
ip46tables -A nixos-fw -p ah -m comment --comment "services.keepalived.openFirewall" -j ACCEPT
298
+
'';
299
+
300
+
extraStopCommands = ''
301
+
ip46tables -D nixos-fw -p vrrp -m comment --comment "services.keepalived.openFirewall" -j ACCEPT
302
+
ip46tables -D nixos-fw -p ah -m comment --comment "services.keepalived.openFirewall" -j ACCEPT
303
+
'';
304
+
};
305
306
systemd.timers.keepalived-boot-delay = {
307
description = "Keepalive Daemon delay to avoid instant transition to MASTER state";