nixos/samba-wsdd: openFirewall option does not allow multicast traffic

[xieve]

Describe the bug

Machines (called "servers" from hereon) running the samba-wsdd modules with openFirewall set to true will announce themselves on the network when wsdd starts up, but will not receive multicasts from scanning Windows machines (called "clients" from hereon). This results in servers only showing up in the Windows Explorer network section when wsdd is (re-)started while the Explorer is open, but not when you open or refresh the Explorer while wsdd is running.

Steps To Reproduce

Steps to reproduce the behavior: 1.

services.samba-wsdd = {
  enable = true;
  openFirewall = true;
};

2. Rebuild
3. Server will show up on client
4. Hit F5 in the Explorer
5. Server will disappear in Explorer
6. systemctl stop firewall.service
7. Hit F5 in Explorer
8. Server will appear in Explorer

Expected behavior

services.samba-wsdd.openFirewall should configure the firewall in a way that does not block any traffic sent or received by the service. I have found this configuration, which works for me: Edit: Because it crashes firewall.service, oops.

networking.firewall.extraCommands = ''
  iptables -s 224.0.0.0/24 -j nixos-fw-accept
'';

I don't know whether this is fine security-wise. IPv6 should probably also be configured similarly.

Notify maintainers

@Izorkin

Metadata

$ nix run nixpkgs#nix-info -- -m 
 - system: `"x86_64-linux"`
 - host os: `Linux 6.1.79, NixOS, 24.05 (Uakari), 24.05.20240229.1536926`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.18.1`
 - nixpkgs: `/nix/store/lwyjz70qh12nq6cb7fixl85vryzxqm3c-source`

---

Add a :+1: reaction to issues you find important.

[Izorkin]

Working this variant?:

networking.firewall.extraCommands = ''
  iptables -s 239.255.255.250 -j nixos-fw-accept
'';

Information from https://github.com/christgau/wsdd#firewall-setup

[Izorkin]

On my home server I use this variant:

      iptables -t filter -N SAMBA-WSDD
      iptables -t filter -A SAMBA-WSDD -p udp -m state --state NEW -m udp --dport 3702 -s 192.168.0.0/24 -j ACCEPT
      iptables -t filter -A SAMBA-WSDD -p udp -m state --state NEW -m udp --sport 3702 -s 192.168.0.0/24 -j ACCEPT
      iptables -t filter -A SAMBA-WSDD -p tcp -m state --state NEW -m tcp --dport 5357 -s 192.168.0.0/24 -j ACCEPT
      iptables -t filter -A SAMBA-WSDD -p tcp -m state --state NEW -m tcp --sport 5357 -s 192.168.0.0/24 -j ACCEPT
      iptables -t filter -A SAMBA-WSDD -p igmp -m state --state NEW -m pkttype --pkt-type multicast -d 239.255.255.250 -j ACCEPT
      iptables -t filter -A SAMBA-WSDD -j RETURN

[xieve]

Working this variant?:

networking.firewall.extraCommands = ''
  iptables -s 239.255.255.250 -j nixos-fw-accept
'';

Information from https://github.com/christgau/wsdd#firewall-setup

Oh, I just realized my iptables commands are complete bogus. The reason this works anyway is that firewall.service will fail silently and just not start lol. Here's a config that actually works:

networking.firewall.extraCommands = ''
  iptables -A nixos-fw -p udp -m conntrack --ctstate NEW -m pkttype --pkt-type multicast -d 239.255.255.250 -j nixos-fw-accept
  ip6tables -A nixos-fw -p udp -m conntrack --ctstate NEW -m pkttype --pkt-type multicast -d ff02::c -j nixos-fw-accept
'';

I'm still improving on this at the moment. IPv4 is not really working.

[xieve]

networking.firewall.extraCommands = ''
  iptables -A nixos-fw -p udp -m pkttype --pkt-type multicast -m udp --dport 3702 -d 239.255.255.250/32 -j nixos-fw-accept
  ip6tables -A nixos-fw -p udp -m pkttype --pkt-type multicast -m udp --dport 3702 -d ff02::c/128 -j nixos-fw-accept
'';

I think this should be sufficiently precise. I have confirmed that it works via IPv6 and IPv4. Afaik this will not work with nftables, sadly.