nordic-dev.net/nixpkgs
nordic-dev.net/nixpkgs
2
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-11-30 10:53:11 +00:00
Code Issues Packages Projects Releases Wiki Activity

nixos/networking.firewall: remove with lib;

Browse Source
This commit is contained in:
Felix Buehler 2024-08-28 21:19:07 +02:00 committed by Jörg Thalheim
parent e915ced804
commit 00d0e3ba98
1 changed files with 51 additions and 54 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

105
nixos/modules/services/networking/firewall.nix
View File

@ -1,7 +1,4 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
with lib;
let let
cfg = config.networking.firewall; cfg = config.networking.firewall;
@ -10,8 +7,8 @@ let
ports: lib.unique (builtins.sort builtins.lessThan ports); ports: lib.unique (builtins.sort builtins.lessThan ports);
commonOptions = { commonOptions = {
allowedTCPPorts = mkOption { allowedTCPPorts = lib.mkOption {
type = types.listOf types.port; type = lib.types.listOf lib.types.port;
default = [ ]; default = [ ];
apply = canonicalizePortList; apply = canonicalizePortList;
example = [ 22 80 ]; example = [ 22 80 ];
@ -21,8 +18,8 @@ let
''; '';
}; };
allowedTCPPortRanges = mkOption { allowedTCPPortRanges = lib.mkOption {
type = types.listOf (types.attrsOf types.port); type = lib.types.listOf (lib.types.attrsOf lib.types.port);
default = [ ]; default = [ ];
example = [{ from = 8999; to = 9003; }]; example = [{ from = 8999; to = 9003; }];
description = '' description = ''
@ -31,8 +28,8 @@ let
''; '';
}; };
allowedUDPPorts = mkOption { allowedUDPPorts = lib.mkOption {
type = types.listOf types.port; type = lib.types.listOf lib.types.port;
default = [ ]; default = [ ];
apply = canonicalizePortList; apply = canonicalizePortList;
example = [ 53 ]; example = [ 53 ];
@ -41,8 +38,8 @@ let
''; '';
}; };
allowedUDPPortRanges = mkOption { allowedUDPPortRanges = lib.mkOption {
type = types.listOf (types.attrsOf types.port); type = lib.types.listOf (lib.types.attrsOf lib.types.port);
default = [ ]; default = [ ];
example = [{ from = 60000; to = 61000; }]; example = [{ from = 60000; to = 61000; }];
description = '' description = ''
@ -58,8 +55,8 @@ in
options = { options = {
networking.firewall = { networking.firewall = {
enable = mkOption { enable = lib.mkOption {
type = types.bool; type = lib.types.bool;
default = true; default = true;
description = '' description = ''
Whether to enable the firewall. This is a simple stateful Whether to enable the firewall. This is a simple stateful
@ -68,18 +65,18 @@ in
''; '';
}; };
package = mkOption { package = lib.mkOption {
type = types.package; type = lib.types.package;
default = if config.networking.nftables.enable then pkgs.nftables else pkgs.iptables; default = if config.networking.nftables.enable then pkgs.nftables else pkgs.iptables;
defaultText = literalExpression ''if config.networking.nftables.enable then "pkgs.nftables" else "pkgs.iptables"''; defaultText = lib.literalExpression ''if config.networking.nftables.enable then "pkgs.nftables" else "pkgs.iptables"'';
example = literalExpression "pkgs.iptables-legacy"; example = lib.literalExpression "pkgs.iptables-legacy";
description = '' description = ''
The package to use for running the firewall service. The package to use for running the firewall service.
''; '';
}; };
logRefusedConnections = mkOption { logRefusedConnections = lib.mkOption {
type = types.bool; type = lib.types.bool;
default = true; default = true;
description = '' description = ''
Whether to log rejected or dropped incoming connections. Whether to log rejected or dropped incoming connections.
@ -88,8 +85,8 @@ in
''; '';
}; };
logRefusedPackets = mkOption { logRefusedPackets = lib.mkOption {
type = types.bool; type = lib.types.bool;
default = false; default = false;
description = '' description = ''
Whether to log all rejected or dropped incoming packets. Whether to log all rejected or dropped incoming packets.
@ -100,8 +97,8 @@ in
''; '';
}; };
logRefusedUnicastsOnly = mkOption { logRefusedUnicastsOnly = lib.mkOption {
type = types.bool; type = lib.types.bool;
default = true; default = true;
description = '' description = ''
If {option}`networking.firewall.logRefusedPackets` If {option}`networking.firewall.logRefusedPackets`
@ -111,8 +108,8 @@ in
''; '';
}; };
rejectPackets = mkOption { rejectPackets = lib.mkOption {
type = types.bool; type = lib.types.bool;
default = false; default = false;
description = '' description = ''
If set, refused packets are rejected rather than dropped If set, refused packets are rejected rather than dropped
@ -123,8 +120,8 @@ in
''; '';
}; };
trustedInterfaces = mkOption { trustedInterfaces = lib.mkOption {
type = types.listOf types.str; type = lib.types.listOf lib.types.str;
default = [ ]; default = [ ];
example = [ "enp0s2" ]; example = [ "enp0s2" ];
description = '' description = ''
@ -134,8 +131,8 @@ in
''; '';
}; };
allowPing = mkOption { allowPing = lib.mkOption {
type = types.bool; type = lib.types.bool;
default = true; default = true;
description = '' description = ''
Whether to respond to incoming ICMPv4 echo requests Whether to respond to incoming ICMPv4 echo requests
@ -145,8 +142,8 @@ in
''; '';
}; };
pingLimit = mkOption { pingLimit = lib.mkOption {
type = types.nullOr (types.separatedString " "); type = lib.types.nullOr (lib.types.separatedString " ");
default = null; default = null;
example = "--limit 1/minute --limit-burst 5"; example = "--limit 1/minute --limit-burst 5";
description = '' description = ''
@ -160,10 +157,10 @@ in
''; '';
}; };
checkReversePath = mkOption { checkReversePath = lib.mkOption {
type = types.either types.bool (types.enum [ "strict" "loose" ]); type = lib.types.either lib.types.bool (lib.types.enum [ "strict" "loose" ]);
default = true; default = true;
defaultText = literalMD "`true` except if the iptables based firewall is in use and the kernel lacks rpfilter support"; defaultText = lib.literalMD "`true` except if the iptables based firewall is in use and the kernel lacks rpfilter support";
example = "loose"; example = "loose";
description = '' description = ''
Performs a reverse path filter test on a packet. If a reply Performs a reverse path filter test on a packet. If a reply
@ -180,8 +177,8 @@ in
''; '';
}; };
logReversePathDrops = mkOption { logReversePathDrops = lib.mkOption {
type = types.bool; type = lib.types.bool;
default = false; default = false;
description = '' description = ''
Logs dropped packets failing the reverse path filter test if Logs dropped packets failing the reverse path filter test if
@ -189,8 +186,8 @@ in
''; '';
}; };
filterForward = mkOption { lib.filterForward = lib.mkOption {
type = types.bool; type = lib.types.bool;
default = false; default = false;
description = '' description = ''
Enable filtering in IP forwarding. Enable filtering in IP forwarding.
@ -199,8 +196,8 @@ in
''; '';
}; };
connectionTrackingModules = mkOption { connectionTrackingModules = lib.mkOption {
type = types.listOf types.str; type = lib.types.listOf lib.types.str;
default = [ ]; default = [ ];
example = [ "ftp" "irc" "sane" "sip" "tftp" "amanda" "h323" "netbios_sn" "pptp" "snmp" ]; example = [ "ftp" "irc" "sane" "sip" "tftp" "amanda" "h323" "netbios_sn" "pptp" "snmp" ];
description = '' description = ''
@ -219,8 +216,8 @@ in
''; '';
}; };
autoLoadConntrackHelpers = mkOption { autoLoadConntrackHelpers = lib.mkOption {
type = types.bool; type = lib.types.bool;
default = false; default = false;
description = '' description = ''
Whether to auto-load connection-tracking helpers. Whether to auto-load connection-tracking helpers.
@ -230,29 +227,29 @@ in
''; '';
}; };
extraPackages = mkOption { extraPackages = lib.mkOption {
type = types.listOf types.package; type = lib.types.listOf lib.types.package;
default = [ ]; default = [ ];
example = literalExpression "[ pkgs.ipset ]"; example = lib.literalExpression "[ pkgs.ipset ]";
description = '' description = ''
Additional packages to be included in the environment of the system Additional packages to be included in the environment of the system
as well as the path of networking.firewall.extraCommands. as well as the path of networking.firewall.extraCommands.
''; '';
}; };
interfaces = mkOption { interfaces = lib.mkOption {
default = { }; default = { };
type = with types; attrsOf (submodule [{ options = commonOptions; }]); type = with lib.types; attrsOf (submodule [{ options = commonOptions; }]);
description = '' description = ''
Interface-specific open ports. Interface-specific open ports.
''; '';
}; };
allInterfaces = mkOption { allInterfaces = lib.mkOption {
internal = true; internal = true;
visible = false; visible = false;
default = { default = mapAttrs (name: value: cfg.${name}) commonOptions; } // cfg.interfaces; default = { default = lib.mapAttrs (name: value: cfg.${name}) commonOptions; } // cfg.interfaces;
type = with types; attrsOf (submodule [{ options = commonOptions; }]); type = with lib.types; attrsOf (submodule [{ options = commonOptions; }]);
description = '' description = ''
All open ports. All open ports.
''; '';
@ -262,11 +259,11 @@ in
}; };
config = mkIf cfg.enable { config = lib.mkIf cfg.enable {
assertions = [ assertions = [
{ {
assertion = cfg.filterForward -> config.networking.nftables.enable; assertion = cfg.lib.filterForward -> config.networking.nftables.enable;
message = "filterForward only works with the nftables based firewall"; message = "filterForward only works with the nftables based firewall";
} }
{ {
@ -279,9 +276,9 @@ in
environment.systemPackages = [ cfg.package ] ++ cfg.extraPackages; environment.systemPackages = [ cfg.package ] ++ cfg.extraPackages;
boot.kernelModules = (optional cfg.autoLoadConntrackHelpers "nf_conntrack") boot.kernelModules = (lib.optional cfg.autoLoadConntrackHelpers "nf_conntrack")
++ map (x: "nf_conntrack_${x}") cfg.connectionTrackingModules; ++ map (x: "nf_conntrack_${x}") cfg.connectionTrackingModules;
boot.extraModprobeConfig = optionalString cfg.autoLoadConntrackHelpers '' boot.extraModprobeConfig = lib.optionalString cfg.autoLoadConntrackHelpers ''
options nf_conntrack nf_conntrack_helper=1 options nf_conntrack nf_conntrack_helper=1
''; '';