chore: switch comments to nftables comments

arichtman · Jan 5, 2025 · 2e3171c · 2e3171c
1 parent 8234c68
commit 2e3171c
Showing 1 changed file with 4 additions and 7 deletions.
diff --git a/modules/nixos/lab-node/default.nix b/modules/nixos/lab-node/default.nix
@@ -175,13 +175,10 @@ in
         nftables.enable = true;
         # Only allow ingress from ranges I control
         firewall.extraInputRules = lib.concatStringsSep "\n" [
-          # Allow my IPv4 private subnets into HTTPS
-          "ip saddr { 192.168.1.0/24,192.168.2.0/24 } tcp dport 443 accept"
-          # Allow anything in my primary prefix into HTTPS
-          "ip6 saddr { 2403:580a:e4b1::/48 } tcp dport 443 accept"
-          # mDNS
-          "ip saddr { 192.168.1.0/24 } udp dport 5353 accept"
-          "ip6 saddr { 2403:580a:e4b1::/48 } udp dport 5353 accept"
+          "ip saddr { 192.168.1.0/24,192.168.2.0/24 } tcp dport 443 accept comment \"Allow private IPv4 subnets\""
+          "ip6 saddr { 2403:580a:e4b1::/48 } tcp dport 443 accept comment \"Allow my IPv6 prefix\""
+          "ip saddr { 192.168.1.0/24 } udp dport 5353 accept comment \"Allow mDNS\""
+          "ip6 saddr { 2403:580a:e4b1::/48 } udp dport 5353 accept comment \"Allow IPv6 mDNS\""
         ];
         # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
         # (the default) this is the recommended approach. When using systemd-networkd it's