Yureka Lilian <yureka@cyberchaos.dev> writes:
Signed-off-by: Yureka Lilian <yureka@cyberchaos.dev> --- vm/sys/net/default.nix | 13 +++++++++---- vm/sys/net/image/etc/fstab | 2 ++ vm/sys/net/image/etc/mdev/iface | 27 ++++++++------------------- vm/sys/net/image/etc/nftables.conf | 16 ++++++++++++---- 4 files changed, 31 insertions(+), 27 deletions(-)
Looks good. Just a couple of small questions.
diff --git a/vm/sys/net/default.nix b/vm/sys/net/default.nix index c7ae88e..fd5bf08 100644 --- a/vm/sys/net/default.nix +++ b/vm/sys/net/default.nix @@ -2,12 +2,12 @@ # SPDX-FileCopyrightText: 2021-2023 Alyssa Ross <hi@alyssa.is>
import ../../../lib/call-package.nix ( -{ spectrum-build-tools, src, terminfo, pkgsMusl }: +{ spectrum-build-tools, spectrum-driver-tools, src, terminfo, pkgsMusl }:
We're taking this from the default package set, where it's built with Glibc — presumably it should be built with musl like everything else in the VM?
diff --git a/vm/sys/net/image/etc/nftables.conf b/vm/sys/net/image/etc/nftables.conf index 296d92c..cc8e462 100644 --- a/vm/sys/net/image/etc/nftables.conf +++ b/vm/sys/net/image/etc/nftables.conf @@ -1,8 +1,16 @@ # SPDX-License-Identifier: EUPL-1.2+ -# SPDX-FileCopyrightText: 2021 Alyssa Ross <hi@alyssa.is> +# SPDX-FileCopyrightText: 2025 Yureka Lilian <yureka@cyberchaos.dev>
-table nat { - chain postrouting { - type nat hook postrouting priority 100; +table driver-fw { + chain input { + type filter hook input priority filter; policy drop; + } + + chain output { + type filter hook output priority filter; policy drop; + } + + chain forward { + type filter hook forward priority filter; policy drop; } }
As someone with basically no netfilter experience, I'm surprised to not see a newline after a semicolon. Is that idiomatic for netfilter?