From 716a2fc6e842ff051df6de1999b5b97780f2d2cd Mon Sep 17 00:00:00 2001
From: tv <tv@krebsco.de>
Date: Thu, 30 Jun 2016 00:52:35 +0200
Subject: [PATCH] tv iptables: add input-*-accept-udp

---
 tv/1systems/cd.nix                |  8 ++++----
 tv/1systems/mkdir.nix             |  4 ++--
 tv/1systems/rmdir.nix             |  4 ++--
 tv/2configs/default.nix           |  2 +-
 tv/2configs/exim-retiolum.nix     |  2 +-
 tv/2configs/exim-smarthost.nix    |  2 +-
 tv/2configs/nginx/default.nix     |  2 +-
 tv/2configs/nginx/public_html.nix |  2 +-
 tv/2configs/retiolum.nix          |  2 +-
 tv/3modules/iptables.nix          | 24 ++++++++++++++++++------
 10 files changed, 32 insertions(+), 20 deletions(-)

diff --git a/tv/1systems/cd.nix b/tv/1systems/cd.nix
index 32d956b8a..a46edb4d9 100644
--- a/tv/1systems/cd.nix
+++ b/tv/1systems/cd.nix
@@ -18,7 +18,7 @@ with config.krebs.lib;
         enable = true;
         ssl_cert = ../Zcerts/charybdis_cd.crt.pem;
       };
-      tv.iptables.input-retiolum-accept-new-tcp = [
+      tv.iptables.input-retiolum-accept-tcp = [
         config.tv.charybdis.port
         config.tv.charybdis.sslport
       ];
@@ -28,14 +28,14 @@ with config.krebs.lib;
         enable = true;
         hosts = [ "jabber.viljetic.de" ];
       };
-      tv.iptables.input-internet-accept-new-tcp = [
+      tv.iptables.input-internet-accept-tcp = [
         "xmpp-client"
         "xmpp-server"
       ];
     }
     {
       krebs.github-hosts-sync.enable = true;
-      tv.iptables.input-internet-accept-new-tcp =
+      tv.iptables.input-internet-accept-tcp =
         singleton config.krebs.github-hosts-sync.port;
     }
     {
@@ -57,7 +57,7 @@ with config.krebs.lib;
           root ${pkgs.viljetic-pages};
         '');
       };
-      tv.iptables.input-internet-accept-new-tcp = singleton "http";
+      tv.iptables.input-internet-accept-tcp = singleton "http";
     }
   ];
 
diff --git a/tv/1systems/mkdir.nix b/tv/1systems/mkdir.nix
index f46ed9547..dcec1e200 100644
--- a/tv/1systems/mkdir.nix
+++ b/tv/1systems/mkdir.nix
@@ -22,12 +22,12 @@ in
     {
       tv.iptables = {
         enable = true;
-        input-internet-accept-new-tcp = [
+        input-internet-accept-tcp = [
           "ssh"
           "tinc"
           "smtp"
         ];
-        input-retiolum-accept-new-tcp = [
+        input-retiolum-accept-tcp = [
           "http"
         ];
       };
diff --git a/tv/1systems/rmdir.nix b/tv/1systems/rmdir.nix
index 25fae2c36..34f926020 100644
--- a/tv/1systems/rmdir.nix
+++ b/tv/1systems/rmdir.nix
@@ -22,12 +22,12 @@ in
     {
       tv.iptables = {
         enable = true;
-        input-internet-accept-new-tcp = [
+        input-internet-accept-tcp = [
           "ssh"
           "tinc"
           "smtp"
         ];
-        input-retiolum-accept-new-tcp = [
+        input-retiolum-accept-tcp = [
           "http"
         ];
       };
diff --git a/tv/2configs/default.nix b/tv/2configs/default.nix
index 741955eee..2eab8d1db 100644
--- a/tv/2configs/default.nix
+++ b/tv/2configs/default.nix
@@ -174,7 +174,7 @@ with config.krebs.lib;
           { type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; }
         ];
       };
-      tv.iptables.input-internet-accept-new-tcp = singleton "ssh";
+      tv.iptables.input-internet-accept-tcp = singleton "ssh";
     }
 
     {
diff --git a/tv/2configs/exim-retiolum.nix b/tv/2configs/exim-retiolum.nix
index 9197a3c30..ad355f8b4 100644
--- a/tv/2configs/exim-retiolum.nix
+++ b/tv/2configs/exim-retiolum.nix
@@ -4,5 +4,5 @@ with config.krebs.lib;
 
 {
   krebs.exim-retiolum.enable = true;
-  tv.iptables.input-retiolum-accept-new-tcp = singleton "smtp";
+  tv.iptables.input-retiolum-accept-tcp = singleton "smtp";
 }
diff --git a/tv/2configs/exim-smarthost.nix b/tv/2configs/exim-smarthost.nix
index 3616a8f52..351b54da1 100644
--- a/tv/2configs/exim-smarthost.nix
+++ b/tv/2configs/exim-smarthost.nix
@@ -43,5 +43,5 @@ with config.krebs.lib;
       { from = "mirko"; to = "mv"; }
     ];
   };
-  tv.iptables.input-internet-accept-new-tcp = singleton "smtp";
+  tv.iptables.input-internet-accept-tcp = singleton "smtp";
 }
diff --git a/tv/2configs/nginx/default.nix b/tv/2configs/nginx/default.nix
index 1fac65a31..d0d07d5ca 100644
--- a/tv/2configs/nginx/default.nix
+++ b/tv/2configs/nginx/default.nix
@@ -12,6 +12,6 @@ with config.krebs.lib;
     ];
   };
   tv.iptables = optionalAttrs config.krebs.nginx.enable {
-    input-retiolum-accept-new-tcp = singleton "http";
+    input-retiolum-accept-tcp = singleton "http";
   };
 }
diff --git a/tv/2configs/nginx/public_html.nix b/tv/2configs/nginx/public_html.nix
index 15a3b5482..858f16563 100644
--- a/tv/2configs/nginx/public_html.nix
+++ b/tv/2configs/nginx/public_html.nix
@@ -11,5 +11,5 @@ with config.krebs.lib;
       '')
     ];
   };
-  tv.iptables.input-internet-accept-new-tcp = singleton "http";
+  tv.iptables.input-internet-accept-tcp = singleton "http";
 }
diff --git a/tv/2configs/retiolum.nix b/tv/2configs/retiolum.nix
index e1598d792..ec3508d90 100644
--- a/tv/2configs/retiolum.nix
+++ b/tv/2configs/retiolum.nix
@@ -13,5 +13,5 @@ with config.krebs.lib;
       "ire"
     ];
   };
-  tv.iptables.input-internet-accept-new-tcp = singleton "tinc";
+  tv.iptables.input-internet-accept-tcp = singleton "tinc";
 }
diff --git a/tv/3modules/iptables.nix b/tv/3modules/iptables.nix
index c0e71f24d..4b1d1ef87 100644
--- a/tv/3modules/iptables.nix
+++ b/tv/3modules/iptables.nix
@@ -17,12 +17,22 @@ let
       default = "retiolum";
     };
 
-    input-internet-accept-new-tcp = mkOption {
+    input-internet-accept-tcp = mkOption {
       type = with types; listOf (either int str);
       default = [];
     };
 
-    input-retiolum-accept-new-tcp = mkOption {
+    input-internet-accept-udp = mkOption {
+      type = with types; listOf (either int str);
+      default = [];
+    };
+
+    input-retiolum-accept-tcp = mkOption {
+      type = with types; listOf (either int str);
+      default = [];
+    };
+
+    input-retiolum-accept-udp = mkOption {
       type = with types; listOf (either int str);
       default = [];
     };
@@ -83,8 +93,8 @@ let
       ip4tables = "-p icmp -m icmp --icmp-type echo-request -j ACCEPT";
       ip6tables = "-p ipv6-icmp -m icmp6 --icmpv6-type echo-request -j ACCEPT";
     }."ip${toString iptables-version}tables";
-    accept-new-tcp = port:
-      "-p tcp -m tcp --dport ${port} -m conntrack --ctstate NEW -j ACCEPT";
+    accept-tcp = port: "-p tcp -m tcp --dport ${port} -j ACCEPT";
+    accept-udp = port: "-p udp -m udp --dport ${port} -j ACCEPT";
   in
     pkgs.writeText "tv-iptables-rules${toString iptables-version}" ''
       *nat
@@ -112,13 +122,15 @@ let
           "-i lo -j ACCEPT"
         ]
         ++ optional (cfg.accept-echo-request == "internet") accept-echo-request
-        ++ map accept-new-tcp (unique (map toString cfg.input-internet-accept-new-tcp))
+        ++ map accept-tcp (unique (map toString cfg.input-internet-accept-tcp))
+        ++ map accept-udp (unique (map toString cfg.input-internet-accept-udp))
         ++ ["-i retiolum -j Retiolum"]
       )}
       ${formatTable cfg.extra.filter}
       ${concatMapStringsSep "\n" (rule: "-A Retiolum ${rule}") ([]
         ++ optional (cfg.accept-echo-request == "retiolum") accept-echo-request
-        ++ map accept-new-tcp (unique (map toString cfg.input-retiolum-accept-new-tcp))
+        ++ map accept-tcp (unique (map toString cfg.input-retiolum-accept-tcp))
+        ++ map accept-udp (unique (map toString cfg.input-retiolum-accept-udp))
         ++ {
           ip4tables = [
             "-p tcp -j REJECT --reject-with tcp-reset"