nordic-dev.net/nixpkgs
nordic-dev.net/nixpkgs
2
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-11-27 01:13:05 +00:00
Code Issues Packages Projects Releases Wiki Activity

nixos/networking.firewall: remove with lib;

Browse Source
This commit is contained in:
Felix Buehler 2024-08-28 21:19:07 +02:00 committed by Jörg Thalheim
parent e915ced804
commit 00d0e3ba98
1 changed files with 51 additions and 54 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

105
nixos/modules/services/networking/firewall.nix
View File

@ -1,7 +1,4 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.networking.firewall;
@ -10,8 +7,8 @@ let
ports: lib.unique (builtins.sort builtins.lessThan ports);
commonOptions = {
allowedTCPPorts = mkOption {
type = types.listOf types.port;
allowedTCPPorts = lib.mkOption {
type = lib.types.listOf lib.types.port;
default = [ ];
apply = canonicalizePortList;
example = [ 22 80 ];
@ -21,8 +18,8 @@ let
'';
};
allowedTCPPortRanges = mkOption {
type = types.listOf (types.attrsOf types.port);
allowedTCPPortRanges = lib.mkOption {
type = lib.types.listOf (lib.types.attrsOf lib.types.port);
default = [ ];
example = [{ from = 8999; to = 9003; }];
description = ''
@ -31,8 +28,8 @@ let
'';
};
allowedUDPPorts = mkOption {
type = types.listOf types.port;
allowedUDPPorts = lib.mkOption {
type = lib.types.listOf lib.types.port;
default = [ ];
apply = canonicalizePortList;
example = [ 53 ];
@ -41,8 +38,8 @@ let
'';
};
allowedUDPPortRanges = mkOption {
type = types.listOf (types.attrsOf types.port);
allowedUDPPortRanges = lib.mkOption {
type = lib.types.listOf (lib.types.attrsOf lib.types.port);
default = [ ];
example = [{ from = 60000; to = 61000; }];
description = ''
@ -58,8 +55,8 @@ in
options = {
networking.firewall = {
enable = mkOption {
type = types.bool;
enable = lib.mkOption {
type = lib.types.bool;
default = true;
description = ''
Whether to enable the firewall. This is a simple stateful
@ -68,18 +65,18 @@ in
'';
};
package = mkOption {
type = types.package;
package = lib.mkOption {
type = lib.types.package;
default = if config.networking.nftables.enable then pkgs.nftables else pkgs.iptables;
defaultText = literalExpression ''if config.networking.nftables.enable then "pkgs.nftables" else "pkgs.iptables"'';
example = literalExpression "pkgs.iptables-legacy";
defaultText = lib.literalExpression ''if config.networking.nftables.enable then "pkgs.nftables" else "pkgs.iptables"'';
example = lib.literalExpression "pkgs.iptables-legacy";
description = ''
The package to use for running the firewall service.
'';
};
logRefusedConnections = mkOption {
type = types.bool;
logRefusedConnections = lib.mkOption {
type = lib.types.bool;
default = true;
description = ''
Whether to log rejected or dropped incoming connections.
@ -88,8 +85,8 @@ in
'';
};
logRefusedPackets = mkOption {
type = types.bool;
logRefusedPackets = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
Whether to log all rejected or dropped incoming packets.
@ -100,8 +97,8 @@ in
'';
};
logRefusedUnicastsOnly = mkOption {
type = types.bool;
logRefusedUnicastsOnly = lib.mkOption {
type = lib.types.bool;
default = true;
description = ''
If {option}`networking.firewall.logRefusedPackets`
@ -111,8 +108,8 @@ in
'';
};
rejectPackets = mkOption {
type = types.bool;
rejectPackets = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
If set, refused packets are rejected rather than dropped
@ -123,8 +120,8 @@ in
'';
};
trustedInterfaces = mkOption {
type = types.listOf types.str;
trustedInterfaces = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
example = [ "enp0s2" ];
description = ''
@ -134,8 +131,8 @@ in
'';
};
allowPing = mkOption {
type = types.bool;
allowPing = lib.mkOption {
type = lib.types.bool;
default = true;
description = ''
Whether to respond to incoming ICMPv4 echo requests
@ -145,8 +142,8 @@ in
'';
};
pingLimit = mkOption {
type = types.nullOr (types.separatedString " ");
pingLimit = lib.mkOption {
type = lib.types.nullOr (lib.types.separatedString " ");
default = null;
example = "--limit 1/minute --limit-burst 5";
description = ''
@ -160,10 +157,10 @@ in
'';
};
checkReversePath = mkOption {
type = types.either types.bool (types.enum [ "strict" "loose" ]);
checkReversePath = lib.mkOption {
type = lib.types.either lib.types.bool (lib.types.enum [ "strict" "loose" ]);
default = true;
defaultText = literalMD "`true` except if the iptables based firewall is in use and the kernel lacks rpfilter support";
defaultText = lib.literalMD "`true` except if the iptables based firewall is in use and the kernel lacks rpfilter support";
example = "loose";
description = ''
Performs a reverse path filter test on a packet. If a reply
@ -180,8 +177,8 @@ in
'';
};
logReversePathDrops = mkOption {
type = types.bool;
logReversePathDrops = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
Logs dropped packets failing the reverse path filter test if
@ -189,8 +186,8 @@ in
'';
};
filterForward = mkOption {
type = types.bool;
lib.filterForward = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
Enable filtering in IP forwarding.
@ -199,8 +196,8 @@ in
'';
};
connectionTrackingModules = mkOption {
type = types.listOf types.str;
connectionTrackingModules = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
example = [ "ftp" "irc" "sane" "sip" "tftp" "amanda" "h323" "netbios_sn" "pptp" "snmp" ];
description = ''
@ -219,8 +216,8 @@ in
'';
};
autoLoadConntrackHelpers = mkOption {
type = types.bool;
autoLoadConntrackHelpers = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
Whether to auto-load connection-tracking helpers.
@ -230,29 +227,29 @@ in
'';
};
extraPackages = mkOption {
type = types.listOf types.package;
extraPackages = lib.mkOption {
type = lib.types.listOf lib.types.package;
default = [ ];
example = literalExpression "[ pkgs.ipset ]";
example = lib.literalExpression "[ pkgs.ipset ]";
description = ''
Additional packages to be included in the environment of the system
as well as the path of networking.firewall.extraCommands.
'';
};
interfaces = mkOption {
interfaces = lib.mkOption {
default = { };
type = with types; attrsOf (submodule [{ options = commonOptions; }]);
type = with lib.types; attrsOf (submodule [{ options = commonOptions; }]);
description = ''
Interface-specific open ports.
'';
};
allInterfaces = mkOption {
allInterfaces = lib.mkOption {
internal = true;
visible = false;
default = { default = mapAttrs (name: value: cfg.${name}) commonOptions; } // cfg.interfaces;
type = with types; attrsOf (submodule [{ options = commonOptions; }]);
default = { default = lib.mapAttrs (name: value: cfg.${name}) commonOptions; } // cfg.interfaces;
type = with lib.types; attrsOf (submodule [{ options = commonOptions; }]);
description = ''
All open ports.
'';
@ -262,11 +259,11 @@ in
};
config = mkIf cfg.enable {
config = lib.mkIf cfg.enable {
assertions = [
{
assertion = cfg.filterForward -> config.networking.nftables.enable;
assertion = cfg.lib.filterForward -> config.networking.nftables.enable;
message = "filterForward only works with the nftables based firewall";
}
{
@ -279,9 +276,9 @@ in
environment.systemPackages = [ cfg.package ] ++ cfg.extraPackages;
boot.kernelModules = (optional cfg.autoLoadConntrackHelpers "nf_conntrack")
boot.kernelModules = (lib.optional cfg.autoLoadConntrackHelpers "nf_conntrack")
++ map (x: "nf_conntrack_${x}") cfg.connectionTrackingModules;
boot.extraModprobeConfig = optionalString cfg.autoLoadConntrackHelpers ''
boot.extraModprobeConfig = lib.optionalString cfg.autoLoadConntrackHelpers ''
options nf_conntrack nf_conntrack_helper=1
'';