diff options
Diffstat (limited to 'krebs/3modules/iptables.nix')
| -rw-r--r-- | krebs/3modules/iptables.nix | 16 |
1 files changed, 5 insertions, 11 deletions
diff --git a/krebs/3modules/iptables.nix b/krebs/3modules/iptables.nix index 7007090c0..16f1f3c84 100644 --- a/krebs/3modules/iptables.nix +++ b/krebs/3modules/iptables.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, ... }: -with import <stockholm/lib>; +with lib; let inherit (pkgs) writeText; @@ -43,10 +43,6 @@ let target = mkOption { type = str; }; - precedence = mkOption { - type = int; - default = 0; - }; v4 = mkOption { type = bool; default = true; @@ -112,12 +108,12 @@ let }) ({ krebs.iptables.tables.filter.INPUT.rules = map - (portRange: { predicate = "-p tcp --dport ${toString port.from}:${toString port.to}"; target = "ACCEPT"; }) + (portRange: { predicate = "-p tcp --dport ${toString portRange.from}:${toString portRange.to}"; target = "ACCEPT"; }) config.networking.firewall.allowedTCPPortRanges; }) ({ krebs.iptables.tables.filter.INPUT.rules = map - (portRange: { predicate = "-p udp --dport ${toString port.from}:${toString port.to}"; target = "ACCEPT"; }) + (portRange: { predicate = "-p udp --dport ${toString portRange.from}:${toString portRange.to}"; target = "ACCEPT"; }) config.networking.firewall.allowedUDPPortRanges; }) ({ @@ -145,13 +141,11 @@ let buildChain = tn: cn: let filteredRules = filter (r: r."${v}") ts."${tn}"."${cn}".rules; - sortedRules = sort (a: b: a.precedence > b.precedence) filteredRules; - in #TODO: double check should be unneccessary, refactor! if ts.${tn}.${cn}.rules or null != null then concatMapStringsSep "\n" (rule: "\n-A ${cn} ${rule}") ([] - ++ map (buildRule tn cn) sortedRules + ++ map (buildRule tn cn) filteredRules ) else "" @@ -183,7 +177,7 @@ let ${buildTables iptables-version cfg.tables} ''; - startScript = pkgs.writeDash "krebs-iptables_start" '' + startScript = pkgs.writers.writeDash "krebs-iptables_start" '' set -euf iptables-restore < ${rules "v4"} ip6tables-restore < ${rules "v6"} |