summaryrefslogtreecommitdiffstats
path: root/krebs/3modules/iptables.nix
diff options
context:
space:
mode:
Diffstat (limited to 'krebs/3modules/iptables.nix')
-rw-r--r--krebs/3modules/iptables.nix40
1 files changed, 7 insertions, 33 deletions
diff --git a/krebs/3modules/iptables.nix b/krebs/3modules/iptables.nix
index b610ff3d1..d48ff6f2b 100644
--- a/krebs/3modules/iptables.nix
+++ b/krebs/3modules/iptables.nix
@@ -1,5 +1,7 @@
{ config, lib, pkgs, ... }:
+with import <stockholm/lib>;
+
let
inherit (pkgs) writeText;
@@ -7,27 +9,6 @@ let
elem
;
- inherit (lib)
- concatMapStringsSep
- concatStringsSep
- attrNames
- unique
- fold
- any
- attrValues
- catAttrs
- filter
- flatten
- length
- hasAttr
- hasPrefix
- mkEnableOption
- mkOption
- mkIf
- types
- sort
- ;
-
cfg = config.krebs.iptables;
out = {
@@ -93,7 +74,7 @@ let
Type = "simple";
RemainAfterExit = true;
Restart = "always";
- ExecStart = "@${startScript} krebs-iptables_start";
+ ExecStart = startScript;
};
};
};
@@ -123,13 +104,6 @@ let
buildRule = tn: cn: rule:
- #target validation test:
- assert (elem rule.target ([ "ACCEPT" "REJECT" "DROP" "QUEUE" "LOG" "RETURN" ] ++ (attrNames ts."${tn}"))) || hasPrefix "REDIRECT" rule.target || hasPrefix "DNAT" rule.target;
-
- #predicate validation test:
- #maybe use iptables-test
- #TODO: howto exit with evaluation error by shellscript?
- #apperantly not possible from nix because evalatution wouldn't be deterministic.
"${rule.predicate} -j ${rule.target}";
buildTable = tn:
@@ -149,7 +123,7 @@ let
#=====
- rules4 = iptables-version:
+ rules = iptables-version:
let
#TODO: find out good defaults.
tables-defaults = {
@@ -171,14 +145,14 @@ let
tables = tables-defaults // cfg.tables;
in
- writeText "krebs-iptables-rules${toString iptables-version}" ''
+ pkgs.writeText "krebs-iptables-rules${iptables-version}" ''
${buildTables iptables-version tables}
'';
startScript = pkgs.writeDash "krebs-iptables_start" ''
set -euf
- iptables-restore < ${rules4 4}
- ip6tables-restore < ${rules4 6}
+ iptables-restore < ${rules "v4"}
+ ip6tables-restore < ${rules "v6"}
'';
in