nixos/firewall: Add the ability to specify additional packages for extraCommands

This commit is contained in:
William A. Kennington III 2015-07-26 16:32:59 -07:00
parent f07b2121f9
commit abc7c1b013

View File

@ -420,6 +420,16 @@ in
'';
};
networking.firewall.extraPackages = mkOption {
default = [ ];
example = [ pkgs.ipset ];
description =
''
Additional packages to be included in the environment of the system
as well as the path of networking.firewall.extraCommands.
'';
};
networking.firewall.extraStopCommands = mkOption {
type = types.lines;
default = "";
@ -443,7 +453,7 @@ in
networking.firewall.trustedInterfaces = [ "lo" ];
environment.systemPackages = [ pkgs.iptables ];
environment.systemPackages = [ pkgs.iptables ] ++ cfg.extraPackages;
boot.kernelModules = map (x: "nf_conntrack_${x}") cfg.connectionTrackingModules;
boot.extraModprobeConfig = optionalString (!cfg.autoLoadConntrackHelpers) ''
@ -462,7 +472,7 @@ in
before = [ "network-pre.target" ];
after = [ "systemd-modules-load.service" ];
path = [ pkgs.iptables ];
path = [ pkgs.iptables ] ++ cfg.extraPackages;
# FIXME: this module may also try to load kernel modules, but
# containers don't have CAP_SYS_MODULE. So the host system had