diff options
author | lassulus <lass@aidsballs.de> | 2015-07-13 13:39:49 +0200 |
---|---|---|
committer | lassulus <lass@aidsballs.de> | 2015-07-16 15:47:28 +0200 |
commit | d629bee9546fa6ed6a018f2b6d491a851ad12738 (patch) | |
tree | 049777923f431beab9b3fd0a5e1c3953f4418451 /old/modules/lass/iptables | |
parent | 02261729c0a4108f2fcccf062b603d62f56782bf (diff) |
"rebase"
Diffstat (limited to 'old/modules/lass/iptables')
-rw-r--r-- | old/modules/lass/iptables/config.nix | 119 | ||||
-rw-r--r-- | old/modules/lass/iptables/default.nix | 11 | ||||
-rw-r--r-- | old/modules/lass/iptables/options.nix | 44 |
3 files changed, 174 insertions, 0 deletions
diff --git a/old/modules/lass/iptables/config.nix b/old/modules/lass/iptables/config.nix new file mode 100644 index 000000000..be521feb9 --- /dev/null +++ b/old/modules/lass/iptables/config.nix @@ -0,0 +1,119 @@ +{ cfg, lib, pkgs, ... }: + +let + inherit (pkgs) writeScript writeText; + inherit (lib) concatMapStringsSep concatStringsSep attrNames unique fold any attrValues catAttrs filter flatten length hasAttr; + +#===== new api v4 + + #buildTable :: iptablesAttrSet` -> str + #todo: differentiate by iptables-version + buildTables = iptv: ts: + let + declareChain = t: cn: + #TODO: find out what to do whit these count numbers + ":${cn} ${t."${cn}".policy} [0:0]"; + + buildChain = tn: cn: + #"${concatStringsSep " " ((attrNames t."${cn}") ++ [cn])}"; + + #TODO: sort by precedence + #TODO: double check should be unneccessary, refactor! + if (hasAttr "rules" ts."${tn}"."${cn}") then + if (ts."${tn}"."${cn}".rules == null) then + "" + else + concatMapStringsSep "\n" (rule: "\n-A ${cn} ${rule}") ([] + ++ map buildRule ts."${tn}"."${cn}".rules + ) + else + "" + ; + + + buildRule = rule: + #TODO implement rule validation-test here + # + #target: + #target needs to be an existing chain (in the same table) or ACCEPT, REJECT, DROP, LOG, QUEUE, RETURN + + #predicate: + #maybe use iptables-test + #TODO: howto exit with evaluation error by shellscript? + #apperantly not possible from nix because evalatution wouldn't be deterministic. + "${rule.predicate} -j ${rule.target}"; + + buildTable = tn: + "*${tn}\n" + + concatStringsSep "\n" ([] + ++ map (declareChain ts."${tn}") (attrNames ts."${tn}") + ) + + #this looks dirty, find a better way to do this (maybe optionalString) + concatStringsSep "" ([] + ++ map (buildChain tn) (attrNames ts."${tn}") + ) + + "\nCOMMIT"; + in + concatStringsSep "\n" ([] + ++ map buildTable (attrNames ts) + ); + +#===== + + rules4 = iptables-version: + let + #TODO: find out good defaults. + tables-defaults = { + nat.PREROUTING.policy = "ACCEPT"; + nat.INPUT.policy = "ACCEPT"; + nat.OUTPUT.policy = "ACCEPT"; + nat.POSTROUTING.policy = "ACCEPT"; + filter.INPUT.policy = "ACCEPT"; + filter.FORWARD.policy = "ACCEPT"; + filter.OUTPUT.policy = "ACCEPT"; + + #if someone specifies any other rules on this chain, the default rules get lost. + #is this wanted beahiviour or a bug? + #TODO: implement abstraction of rules + filter.INPUT.rules = [ + { predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; } + ]; + }; + tables = tables-defaults // cfg.tables; + + in + writeText "lass-iptables-rules${toString iptables-version}" '' + ${buildTables iptables-version tables} + ''; + + startScript = writeScript "lass-iptables_start" '' + #! /bin/sh + set -euf + iptables-restore < ${rules4 4} + ip6tables-restore < ${rules4 6} + ''; +in + +{ + networking.firewall.enable = false; + + systemd.services.lass-iptables = { + description = "lass-iptables"; + wantedBy = [ "network-pre.target" ]; + before = [ "network-pre.target" ]; + after = [ "systemd-modules-load.service" ]; + + path = with pkgs; [ + iptables + ]; + + restartIfChanged = true; + + serviceConfig = { + Type = "simple"; + RemainAfterExit = true; + Restart = "always"; + ExecStart = "@${startScript} lass-iptables_start"; + }; + }; +} diff --git a/old/modules/lass/iptables/default.nix b/old/modules/lass/iptables/default.nix new file mode 100644 index 000000000..7d46d4563 --- /dev/null +++ b/old/modules/lass/iptables/default.nix @@ -0,0 +1,11 @@ +arg@{ config, lib, pkgs, ... }: + +let + cfg = config.lass.iptables; + arg' = arg // { inherit cfg; }; +in + +{ + options.lass.iptables = import ./options.nix arg'; + config = lib.mkIf cfg.enable (import ./config.nix arg'); +} diff --git a/old/modules/lass/iptables/options.nix b/old/modules/lass/iptables/options.nix new file mode 100644 index 000000000..eb3bfc011 --- /dev/null +++ b/old/modules/lass/iptables/options.nix @@ -0,0 +1,44 @@ +{ lib, ... }: + +let + inherit (lib) mkEnableOption mkOption types; +in + +{ + enable = mkEnableOption "iptables"; + + #tables.filter.INPUT = { + # policy = "DROP"; + # rules = [ + # { predicate = "-i retiolum"; target = "ACCEPT"; priority = -10; } + # ]; + #}; + #new api + tables = mkOption { + type = with types; attrsOf (attrsOf (submodule ({ + options = { + policy = mkOption { + type = str; + default = "-"; + }; + rules = mkOption { + type = nullOr (listOf (submodule ({ + options = { + predicate = mkOption { + type = str; + }; + target = mkOption { + type = str; + }; + precedence = mkOption { + type = int; + default = 0; + }; + }; + }))); + default = null; + }; + }; + }))); + }; +} |