diff options
author | tv <tv@krebsco.de> | 2016-12-01 21:59:25 +0100 |
---|---|---|
committer | tv <tv@krebsco.de> | 2016-12-01 21:59:25 +0100 |
commit | 1e599969524d9772ad9c891a383048d9fef843e5 (patch) | |
tree | 6ae4edef0df43dcd82a7dedfa1aa5e45741cd233 /krebs/3modules/iptables.nix | |
parent | 32c59103f5315fb6160b1dd38df2c27647aaffdd (diff) | |
parent | f4ce5ea248c6dcb965f9367a4569a39f4be747af (diff) |
Merge remote-tracking branch 'prism/master'
Diffstat (limited to 'krebs/3modules/iptables.nix')
-rw-r--r-- | krebs/3modules/iptables.nix | 30 |
1 files changed, 5 insertions, 25 deletions
diff --git a/krebs/3modules/iptables.nix b/krebs/3modules/iptables.nix index a4a4de6f9..09b493c20 100644 --- a/krebs/3modules/iptables.nix +++ b/krebs/3modules/iptables.nix @@ -29,9 +29,10 @@ let tables = mkOption { type = with types; attrsOf (attrsOf (submodule ({ options = { + #TODO: find out good defaults. policy = mkOption { type = str; - default = "-"; + default = "ACCEPT"; }; rules = mkOption { type = nullOr (listOf (submodule ({ @@ -133,30 +134,9 @@ let #===== rules = iptables-version: - let - #TODO: find out good defaults. - tables-defaults = { - nat.PREROUTING.policy = "ACCEPT"; - nat.INPUT.policy = "ACCEPT"; - nat.OUTPUT.policy = "ACCEPT"; - nat.POSTROUTING.policy = "ACCEPT"; - filter.INPUT.policy = "ACCEPT"; - filter.FORWARD.policy = "ACCEPT"; - filter.OUTPUT.policy = "ACCEPT"; - - #if someone specifies any other rules on this chain, the default rules get lost. - #is this wanted beahiviour or a bug? - #TODO: implement abstraction of rules - filter.INPUT.rules = [ - { predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; } - ]; - }; - tables = tables-defaults // cfg.tables; - - in - pkgs.writeText "krebs-iptables-rules${iptables-version}" '' - ${buildTables iptables-version tables} - ''; + pkgs.writeText "krebs-iptables-rules${iptables-version}" '' + ${buildTables iptables-version cfg.tables} + ''; startScript = pkgs.writeDash "krebs-iptables_start" '' set -euf |