nixos/keepalived: add openFirewall option

Allow VRRP and AH (authentication packets) through the firewall
automatically if the option is set.

(cherry picked from commit 24d9151d15168867b87669ee663e4d15a23ded91)

1 files changed, 21 insertions, 0 deletions

diff --git a/nixos/modules/services/networking/keepalived/default.nix b/nixos/modules/services/networking/keepalived/default.nix
index 29fbea5545c36..429a47c3962c6 100644
--- a/nixos/modules/services/networking/keepalived/default.nix
+++ b/nixos/modules/services/networking/keepalived/default.nix
@@ -150,6 +150,14 @@ in
         '';
       };
 
+      openFirewall = mkOption {
+        type = types.bool;
+        default = false;
+        description = lib.mdDoc ''
+          Whether to automatically allow VRRP and AH packets in the firewall.
+        '';
+      };
+
       enableScriptSecurity = mkOption {
         type = types.bool;
         default = false;
@@ -282,6 +290,19 @@ in
 
     assertions = flatten (map vrrpInstanceAssertions vrrpInstances);
 
+    networking.firewall = lib.mkIf cfg.openFirewall {
+      extraCommands = ''
+        # Allow VRRP and AH packets
+        ip46tables -A nixos-fw -p vrrp -m comment --comment "services.keepalived.openFirewall" -j ACCEPT
+        ip46tables -A nixos-fw -p ah -m comment --comment "services.keepalived.openFirewall" -j ACCEPT
+      '';
+
+      extraStopCommands = ''
+        ip46tables -D nixos-fw -p vrrp -m comment --comment "services.keepalived.openFirewall" -j ACCEPT
+        ip46tables -D nixos-fw -p ah -m comment --comment "services.keepalived.openFirewall" -j ACCEPT
+      '';
+    };
+
     systemd.timers.keepalived-boot-delay = {
       description = "Keepalive Daemon delay to avoid instant transition to MASTER state";
       after = [ "network.target" "network-online.target" "syslog.target" ];