summaryrefslogtreecommitdiffstats
path: root/krebs/3modules/iptables.nix
diff options
context:
space:
mode:
authortv <tv@krebsco.de>2016-12-01 21:59:25 +0100
committertv <tv@krebsco.de>2016-12-01 21:59:25 +0100
commit1e599969524d9772ad9c891a383048d9fef843e5 (patch)
tree6ae4edef0df43dcd82a7dedfa1aa5e45741cd233 /krebs/3modules/iptables.nix
parent32c59103f5315fb6160b1dd38df2c27647aaffdd (diff)
parentf4ce5ea248c6dcb965f9367a4569a39f4be747af (diff)
Merge remote-tracking branch 'prism/master'
Diffstat (limited to 'krebs/3modules/iptables.nix')
-rw-r--r--krebs/3modules/iptables.nix30
1 files changed, 5 insertions, 25 deletions
diff --git a/krebs/3modules/iptables.nix b/krebs/3modules/iptables.nix
index a4a4de6f9..09b493c20 100644
--- a/krebs/3modules/iptables.nix
+++ b/krebs/3modules/iptables.nix
@@ -29,9 +29,10 @@ let
tables = mkOption {
type = with types; attrsOf (attrsOf (submodule ({
options = {
+ #TODO: find out good defaults.
policy = mkOption {
type = str;
- default = "-";
+ default = "ACCEPT";
};
rules = mkOption {
type = nullOr (listOf (submodule ({
@@ -133,30 +134,9 @@ let
#=====
rules = iptables-version:
- let
- #TODO: find out good defaults.
- tables-defaults = {
- nat.PREROUTING.policy = "ACCEPT";
- nat.INPUT.policy = "ACCEPT";
- nat.OUTPUT.policy = "ACCEPT";
- nat.POSTROUTING.policy = "ACCEPT";
- filter.INPUT.policy = "ACCEPT";
- filter.FORWARD.policy = "ACCEPT";
- filter.OUTPUT.policy = "ACCEPT";
-
- #if someone specifies any other rules on this chain, the default rules get lost.
- #is this wanted beahiviour or a bug?
- #TODO: implement abstraction of rules
- filter.INPUT.rules = [
- { predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; }
- ];
- };
- tables = tables-defaults // cfg.tables;
-
- in
- pkgs.writeText "krebs-iptables-rules${iptables-version}" ''
- ${buildTables iptables-version tables}
- '';
+ pkgs.writeText "krebs-iptables-rules${iptables-version}" ''
+ ${buildTables iptables-version cfg.tables}
+ '';
startScript = pkgs.writeDash "krebs-iptables_start" ''
set -euf