summaryrefslogtreecommitdiffstats
path: root/old/modules/lass/iptables/config.nix
diff options
context:
space:
mode:
authortv <tv@shackspace.de>2015-07-16 23:22:30 +0200
committertv <tv@shackspace.de>2015-07-16 23:22:30 +0200
commit57c520b722f25f384301118046bf9cf182d4edd7 (patch)
tree57983c04bb49fe0375300861111a61cede545794 /old/modules/lass/iptables/config.nix
parent447c63edbd403abf026800d10594ed037b4304e9 (diff)
Goodbye old world, and thanks for all the fish!
Diffstat (limited to 'old/modules/lass/iptables/config.nix')
-rw-r--r--old/modules/lass/iptables/config.nix119
1 files changed, 0 insertions, 119 deletions
diff --git a/old/modules/lass/iptables/config.nix b/old/modules/lass/iptables/config.nix
deleted file mode 100644
index be521feb9..000000000
--- a/old/modules/lass/iptables/config.nix
+++ /dev/null
@@ -1,119 +0,0 @@
-{ cfg, lib, pkgs, ... }:
-
-let
- inherit (pkgs) writeScript writeText;
- inherit (lib) concatMapStringsSep concatStringsSep attrNames unique fold any attrValues catAttrs filter flatten length hasAttr;
-
-#===== new api v4
-
- #buildTable :: iptablesAttrSet` -> str
- #todo: differentiate by iptables-version
- buildTables = iptv: ts:
- let
- declareChain = t: cn:
- #TODO: find out what to do whit these count numbers
- ":${cn} ${t."${cn}".policy} [0:0]";
-
- buildChain = tn: cn:
- #"${concatStringsSep " " ((attrNames t."${cn}") ++ [cn])}";
-
- #TODO: sort by precedence
- #TODO: double check should be unneccessary, refactor!
- if (hasAttr "rules" ts."${tn}"."${cn}") then
- if (ts."${tn}"."${cn}".rules == null) then
- ""
- else
- concatMapStringsSep "\n" (rule: "\n-A ${cn} ${rule}") ([]
- ++ map buildRule ts."${tn}"."${cn}".rules
- )
- else
- ""
- ;
-
-
- buildRule = rule:
- #TODO implement rule validation-test here
- #
- #target:
- #target needs to be an existing chain (in the same table) or ACCEPT, REJECT, DROP, LOG, QUEUE, RETURN
-
- #predicate:
- #maybe use iptables-test
- #TODO: howto exit with evaluation error by shellscript?
- #apperantly not possible from nix because evalatution wouldn't be deterministic.
- "${rule.predicate} -j ${rule.target}";
-
- buildTable = tn:
- "*${tn}\n" +
- concatStringsSep "\n" ([]
- ++ map (declareChain ts."${tn}") (attrNames ts."${tn}")
- ) +
- #this looks dirty, find a better way to do this (maybe optionalString)
- concatStringsSep "" ([]
- ++ map (buildChain tn) (attrNames ts."${tn}")
- ) +
- "\nCOMMIT";
- in
- concatStringsSep "\n" ([]
- ++ map buildTable (attrNames ts)
- );
-
-#=====
-
- rules4 = iptables-version:
- let
- #TODO: find out good defaults.
- tables-defaults = {
- nat.PREROUTING.policy = "ACCEPT";
- nat.INPUT.policy = "ACCEPT";
- nat.OUTPUT.policy = "ACCEPT";
- nat.POSTROUTING.policy = "ACCEPT";
- filter.INPUT.policy = "ACCEPT";
- filter.FORWARD.policy = "ACCEPT";
- filter.OUTPUT.policy = "ACCEPT";
-
- #if someone specifies any other rules on this chain, the default rules get lost.
- #is this wanted beahiviour or a bug?
- #TODO: implement abstraction of rules
- filter.INPUT.rules = [
- { predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; }
- ];
- };
- tables = tables-defaults // cfg.tables;
-
- in
- writeText "lass-iptables-rules${toString iptables-version}" ''
- ${buildTables iptables-version tables}
- '';
-
- startScript = writeScript "lass-iptables_start" ''
- #! /bin/sh
- set -euf
- iptables-restore < ${rules4 4}
- ip6tables-restore < ${rules4 6}
- '';
-in
-
-{
- networking.firewall.enable = false;
-
- systemd.services.lass-iptables = {
- description = "lass-iptables";
- wantedBy = [ "network-pre.target" ];
- before = [ "network-pre.target" ];
- after = [ "systemd-modules-load.service" ];
-
- path = with pkgs; [
- iptables
- ];
-
- restartIfChanged = true;
-
- serviceConfig = {
- Type = "simple";
- RemainAfterExit = true;
- Restart = "always";
- ExecStart = "@${startScript} lass-iptables_start";
- };
- };
-}