"rebase"

3 files changed, 174 insertions, 0 deletions

diff --git a/old/modules/lass/iptables/config.nix b/old/modules/lass/iptables/config.nix
new file mode 100644
index 00000000..be521feb
--- /dev/null
+++ b/old/modules/lass/iptables/config.nix
@@ -0,0 +1,119 @@
+{ cfg, lib, pkgs, ... }:
+
+let
+  inherit (pkgs) writeScript writeText;
+  inherit (lib) concatMapStringsSep concatStringsSep attrNames unique fold any attrValues catAttrs filter flatten length hasAttr;
+
+#===== new api v4
+
+  #buildTable :: iptablesAttrSet` -> str
+  #todo: differentiate by iptables-version
+  buildTables = iptv: ts:
+    let
+      declareChain = t: cn:
+        #TODO: find out what to do whit these count numbers
+        ":${cn} ${t."${cn}".policy} [0:0]";
+
+      buildChain = tn: cn:
+      #"${concatStringsSep " " ((attrNames t."${cn}") ++ [cn])}";
+
+      #TODO: sort by precedence
+      #TODO: double check should be unneccessary, refactor!
+        if (hasAttr "rules" ts."${tn}"."${cn}") then
+          if (ts."${tn}"."${cn}".rules == null) then
+            ""
+          else
+            concatMapStringsSep "\n" (rule: "\n-A ${cn} ${rule}") ([]
+              ++ map buildRule ts."${tn}"."${cn}".rules
+            )
+        else
+          ""
+        ;
+
+
+      buildRule = rule:
+        #TODO implement rule validation-test here
+        #
+        #target:
+        #target needs to be an existing chain (in the same table) or ACCEPT, REJECT, DROP, LOG, QUEUE, RETURN
+
+        #predicate:
+        #maybe use iptables-test
+        #TODO: howto exit with evaluation error by shellscript?
+          #apperantly not possible from nix because evalatution wouldn't be deterministic.
+        "${rule.predicate} -j ${rule.target}";
+
+      buildTable = tn:
+        "*${tn}\n" +
+        concatStringsSep "\n" ([]
+          ++ map (declareChain ts."${tn}") (attrNames ts."${tn}")
+        ) +
+        #this looks dirty, find a better way to do this (maybe optionalString)
+        concatStringsSep "" ([]
+          ++ map (buildChain tn) (attrNames ts."${tn}")
+        ) +
+        "\nCOMMIT";
+    in
+      concatStringsSep "\n" ([]
+        ++ map buildTable (attrNames ts)
+      );
+
+#=====
+
+  rules4 = iptables-version:
+    let
+      #TODO: find out good defaults.
+      tables-defaults = {
+        nat.PREROUTING.policy = "ACCEPT";
+        nat.INPUT.policy = "ACCEPT";
+        nat.OUTPUT.policy = "ACCEPT";
+        nat.POSTROUTING.policy = "ACCEPT";
+        filter.INPUT.policy = "ACCEPT";
+        filter.FORWARD.policy = "ACCEPT";
+        filter.OUTPUT.policy = "ACCEPT";
+
+        #if someone specifies any other rules on this chain, the default rules get lost.
+        #is this wanted beahiviour or a bug?
+        #TODO: implement abstraction of rules
+        filter.INPUT.rules = [
+          { predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; }
+        ];
+      };
+      tables = tables-defaults // cfg.tables;
+
+    in
+      writeText "lass-iptables-rules${toString iptables-version}" ''
+        ${buildTables iptables-version tables}
+      '';
+
+  startScript = writeScript "lass-iptables_start" ''
+    #! /bin/sh
+    set -euf
+    iptables-restore < ${rules4 4}
+    ip6tables-restore < ${rules4 6}
+  '';
+in
+
+{
+  networking.firewall.enable = false;
+
+  systemd.services.lass-iptables = {
+    description = "lass-iptables";
+    wantedBy = [ "network-pre.target" ];
+    before = [ "network-pre.target" ];
+    after = [ "systemd-modules-load.service" ];
+
+    path = with pkgs; [
+      iptables
+    ];
+
+    restartIfChanged = true;
+
+    serviceConfig = {
+      Type = "simple";
+      RemainAfterExit = true;
+      Restart = "always";
+      ExecStart = "@${startScript} lass-iptables_start";
+    };
+  };
+}
diff --git a/old/modules/lass/iptables/default.nix b/old/modules/lass/iptables/default.nix
new file mode 100644
index 00000000..7d46d456
--- /dev/null
+++ b/old/modules/lass/iptables/default.nix
@@ -0,0 +1,11 @@
+arg@{ config, lib, pkgs, ... }:
+
+let
+  cfg = config.lass.iptables;
+  arg' = arg // { inherit cfg; };
+in
+
+{
+  options.lass.iptables = import ./options.nix arg';
+  config = lib.mkIf cfg.enable (import ./config.nix arg');
+}
diff --git a/old/modules/lass/iptables/options.nix b/old/modules/lass/iptables/options.nix
new file mode 100644
index 00000000..eb3bfc01
--- /dev/null
+++ b/old/modules/lass/iptables/options.nix
@@ -0,0 +1,44 @@
+{ lib, ... }:
+
+let
+  inherit (lib) mkEnableOption mkOption types;
+in
+
+{
+  enable = mkEnableOption "iptables";
+
+  #tables.filter.INPUT = {
+  # policy = "DROP";
+  # rules = [
+  #   { predicate = "-i retiolum"; target = "ACCEPT"; priority = -10; }
+  # ];
+  #};
+  #new api
+  tables = mkOption {
+    type = with types; attrsOf (attrsOf (submodule ({
+      options = {
+        policy = mkOption {
+          type = str;
+          default = "-";
+        };
+        rules = mkOption {
+          type = nullOr (listOf (submodule ({
+            options = {
+              predicate = mkOption {
+                type = str;
+              };
+              target = mkOption {
+                type = str;
+              };
+              precedence = mkOption {
+                type = int;
+                default = 0;
+              };
+            };
+          })));
+          default = null;
+        };
+      };
+    })));
+  };
+}