mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-11-26 17:03:01 +00:00
nixos/firewall: Add the ability to specify additional packages for extraCommands
This commit is contained in:
parent
f07b2121f9
commit
abc7c1b013
@ -420,6 +420,16 @@ in
|
||||
'';
|
||||
};
|
||||
|
||||
networking.firewall.extraPackages = mkOption {
|
||||
default = [ ];
|
||||
example = [ pkgs.ipset ];
|
||||
description =
|
||||
''
|
||||
Additional packages to be included in the environment of the system
|
||||
as well as the path of networking.firewall.extraCommands.
|
||||
'';
|
||||
};
|
||||
|
||||
networking.firewall.extraStopCommands = mkOption {
|
||||
type = types.lines;
|
||||
default = "";
|
||||
@ -443,7 +453,7 @@ in
|
||||
|
||||
networking.firewall.trustedInterfaces = [ "lo" ];
|
||||
|
||||
environment.systemPackages = [ pkgs.iptables ];
|
||||
environment.systemPackages = [ pkgs.iptables ] ++ cfg.extraPackages;
|
||||
|
||||
boot.kernelModules = map (x: "nf_conntrack_${x}") cfg.connectionTrackingModules;
|
||||
boot.extraModprobeConfig = optionalString (!cfg.autoLoadConntrackHelpers) ''
|
||||
@ -462,7 +472,7 @@ in
|
||||
before = [ "network-pre.target" ];
|
||||
after = [ "systemd-modules-load.service" ];
|
||||
|
||||
path = [ pkgs.iptables ];
|
||||
path = [ pkgs.iptables ] ++ cfg.extraPackages;
|
||||
|
||||
# FIXME: this module may also try to load kernel modules, but
|
||||
# containers don't have CAP_SYS_MODULE. So the host system had
|
||||
|
Loading…
Reference in New Issue
Block a user