SSDP firewall support

Development
1

I have a Sonos system and I tried getting Noson (installed via flatpack, it’s not in nixpkgs yet) to work with it, and I tried several things but in the end this is what made it work:

  # support SSDP https://serverfault.com/a/911286/9166
  networking.firewall.extraPackages = [ pkgs.ipset ];
  networking.firewall.extraCommands = ''
    ipset create upnp hash:ip,port timeout 3
    iptables -A OUTPUT -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j SET --add-set upnp src,src --exist
    iptables -A INPUT -p udp -m set --match-set upnp dst,dst -j ACCEPT
  '';

I also have the avahi service enabled to make Chromecast work, maybe that’s necessary too.

I’m wondering if there is a better way to configure this in NixOS, and also if perhaps there should be an allowSsdp setting in the firewall module.

What about firewall stops and updates, should there be anything done?

2

Update: I needed to open port 1400 to allow control traffic, and I made ipset not fail on restart, and I added the input rule to nixos-fw:

  networking.firewall.allowedTCPPorts = [
    # Sonos
    1400
  ];

  # support SSDP https://serverfault.com/a/911286/9166
  networking.firewall.extraPackages = [ pkgs.ipset ];
  networking.firewall.extraCommands = ''
    if ! ipset --quiet list upnp; then
      ipset create upnp hash:ip,port timeout 3
    fi
    iptables -A OUTPUT -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j SET --add-set upnp src,src --exist
    iptables -A nixos-fw -p udp -m set --match-set upnp dst,dst -j nixos-fw-accept
  '';

This works but whenever I restart it adds the same rule to the OUTPUT chain.

3

I created firewall: support SSDP · Issue #161328 · NixOS/nixpkgs · GitHub for adding support

4

Do you know what is the difference between this and the conntrack approach mentioned in How to add conntrack helper to firewall??

5

I had the conntrack helper first but that didn’t work for me. I concluded that the conntrack helper is for running an SSDP server.