diff options
author | tv <tv@shackspace.de> | 2015-07-16 23:22:30 +0200 |
---|---|---|
committer | tv <tv@shackspace.de> | 2015-07-16 23:22:30 +0200 |
commit | 57c520b722f25f384301118046bf9cf182d4edd7 (patch) | |
tree | 57983c04bb49fe0375300861111a61cede545794 /old/modules/lass/iptables/config.nix | |
parent | 447c63edbd403abf026800d10594ed037b4304e9 (diff) |
Goodbye old world, and thanks for all the fish!
Diffstat (limited to 'old/modules/lass/iptables/config.nix')
-rw-r--r-- | old/modules/lass/iptables/config.nix | 119 |
1 files changed, 0 insertions, 119 deletions
diff --git a/old/modules/lass/iptables/config.nix b/old/modules/lass/iptables/config.nix deleted file mode 100644 index be521feb9..000000000 --- a/old/modules/lass/iptables/config.nix +++ /dev/null @@ -1,119 +0,0 @@ -{ cfg, lib, pkgs, ... }: - -let - inherit (pkgs) writeScript writeText; - inherit (lib) concatMapStringsSep concatStringsSep attrNames unique fold any attrValues catAttrs filter flatten length hasAttr; - -#===== new api v4 - - #buildTable :: iptablesAttrSet` -> str - #todo: differentiate by iptables-version - buildTables = iptv: ts: - let - declareChain = t: cn: - #TODO: find out what to do whit these count numbers - ":${cn} ${t."${cn}".policy} [0:0]"; - - buildChain = tn: cn: - #"${concatStringsSep " " ((attrNames t."${cn}") ++ [cn])}"; - - #TODO: sort by precedence - #TODO: double check should be unneccessary, refactor! - if (hasAttr "rules" ts."${tn}"."${cn}") then - if (ts."${tn}"."${cn}".rules == null) then - "" - else - concatMapStringsSep "\n" (rule: "\n-A ${cn} ${rule}") ([] - ++ map buildRule ts."${tn}"."${cn}".rules - ) - else - "" - ; - - - buildRule = rule: - #TODO implement rule validation-test here - # - #target: - #target needs to be an existing chain (in the same table) or ACCEPT, REJECT, DROP, LOG, QUEUE, RETURN - - #predicate: - #maybe use iptables-test - #TODO: howto exit with evaluation error by shellscript? - #apperantly not possible from nix because evalatution wouldn't be deterministic. - "${rule.predicate} -j ${rule.target}"; - - buildTable = tn: - "*${tn}\n" + - concatStringsSep "\n" ([] - ++ map (declareChain ts."${tn}") (attrNames ts."${tn}") - ) + - #this looks dirty, find a better way to do this (maybe optionalString) - concatStringsSep "" ([] - ++ map (buildChain tn) (attrNames ts."${tn}") - ) + - "\nCOMMIT"; - in - concatStringsSep "\n" ([] - ++ map buildTable (attrNames ts) - ); - -#===== - - rules4 = iptables-version: - let - #TODO: find out good defaults. - tables-defaults = { - nat.PREROUTING.policy = "ACCEPT"; - nat.INPUT.policy = "ACCEPT"; - nat.OUTPUT.policy = "ACCEPT"; - nat.POSTROUTING.policy = "ACCEPT"; - filter.INPUT.policy = "ACCEPT"; - filter.FORWARD.policy = "ACCEPT"; - filter.OUTPUT.policy = "ACCEPT"; - - #if someone specifies any other rules on this chain, the default rules get lost. - #is this wanted beahiviour or a bug? - #TODO: implement abstraction of rules - filter.INPUT.rules = [ - { predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; } - ]; - }; - tables = tables-defaults // cfg.tables; - - in - writeText "lass-iptables-rules${toString iptables-version}" '' - ${buildTables iptables-version tables} - ''; - - startScript = writeScript "lass-iptables_start" '' - #! /bin/sh - set -euf - iptables-restore < ${rules4 4} - ip6tables-restore < ${rules4 6} - ''; -in - -{ - networking.firewall.enable = false; - - systemd.services.lass-iptables = { - description = "lass-iptables"; - wantedBy = [ "network-pre.target" ]; - before = [ "network-pre.target" ]; - after = [ "systemd-modules-load.service" ]; - - path = with pkgs; [ - iptables - ]; - - restartIfChanged = true; - - serviceConfig = { - Type = "simple"; - RemainAfterExit = true; - Restart = "always"; - ExecStart = "@${startScript} lass-iptables_start"; - }; - }; -} |