{ config, lib, pkgs, ... }: with import <stockholm/lib>; let inherit (pkgs) writeText; inherit (builtins) elem ; cfg = config.krebs.iptables; out = { options.krebs.iptables = api; config = mkIf cfg.enable imp; }; api = { enable = mkEnableOption "iptables"; #tables.filter.INPUT = { # policy = "DROP"; # rules = [ # { predicate = "-i retiolum"; target = "ACCEPT"; priority = -10; } # ]; #}; #new api tables = mkOption { type = with types; attrsOf (attrsOf (submodule ({ options = { #TODO: find out good defaults. policy = mkOption { type = str; default = "ACCEPT"; }; rules = mkOption { type = nullOr (listOf (submodule ({ options = { predicate = mkOption { type = str; }; target = mkOption { type = str; }; precedence = mkOption { type = int; default = 0; }; v4 = mkOption { type = bool; default = true; }; v6 = mkOption { type = bool; default = true; }; }; }))); default = null; }; }; }))); default = { filter.INPUT.policy = "ACCEPT"; filter.FORWARD.policy = "ACCEPT"; filter.OUTPUT.policy = "ACCEPT"; nat.PREROUTING.policy = "ACCEPT"; nat.INPUT.policy = "ACCEPT"; nat.OUTPUT.policy = "ACCEPT"; nat.POSTROUTING.policy = "ACCEPT"; }; }; }; imp = mkMerge ([{ networking.firewall.enable = false; systemd.services.krebs-iptables = { wantedBy = [ "sysinit.target" ]; wants = [ "network-pre.target" ]; before = [ "network-pre.target" ]; after = [ "systemd-modules-load.service" ]; path = with pkgs; [ iptables ]; restartIfChanged = true; serviceConfig = { Type = "simple"; RemainAfterExit = true; Restart = "always"; ExecStart = startScript; }; unitConfig.DefaultDependencies = false; }; }] ++ compat); compat = [ ({ krebs.iptables.tables.filter.INPUT.rules = map (port: { predicate = "-p tcp --dport ${toString port}"; target = "ACCEPT"; }) config.networking.firewall.allowedTCPPorts; }) ({ krebs.iptables.tables.filter.INPUT.rules = map (port: { predicate = "-p udp --dport ${toString port}"; target = "ACCEPT"; }) config.networking.firewall.allowedUDPPorts; }) ({ krebs.iptables.tables.filter.INPUT.rules = map (portRange: { predicate = "-p tcp --dport ${toString port.from}:${toString port.to}"; target = "ACCEPT"; }) config.networking.firewall.allowedTCPPortRanges; }) ({ krebs.iptables.tables.filter.INPUT.rules = map (portRange: { predicate = "-p udp --dport ${toString port.from}:${toString port.to}"; target = "ACCEPT"; }) config.networking.firewall.allowedUDPPortRanges; }) ({ krebs.iptables.tables.filter.INPUT.rules = flatten (mapAttrsToList (interface: interfaceConfig: [ (map (port: { predicate = "-i ${interface} -p tcp --dport ${toString port}"; target = "ACCEPT"; }) interfaceConfig.allowedTCPPorts) (map (port: { predicate = "-i ${interface} -p udp --dport ${toString port}"; target = "ACCEPT"; }) interfaceConfig.allowedUDPPorts) (map (portRange: { predicate = "-i ${interface} -p tcp --dport ${toString portRange.from}:${toString portRange.to}"; target = "ACCEPT"; }) interfaceConfig.allowedTCPPortRanges) (map (portRange: { predicate = "-i ${interface} -p udp --dport ${toString portRange.from}:${toString portRange.to}"; target = "ACCEPT"; }) interfaceConfig.allowedUDPPortRanges) ]) config.networking.firewall.interfaces ); }) ]; #buildTable :: iptablesVersion -> iptablesAttrSet` -> str #todo: differentiate by iptables-version buildTables = v: ts: let declareChain = t: cn: #TODO: find out what to do whit these count numbers ":${cn} ${t."${cn}".policy} [0:0]"; buildChain = tn: cn: let filteredRules = filter (r: r."${v}") ts."${tn}"."${cn}".rules; sortedRules = sort (a: b: a.precedence > b.precedence) filteredRules; in #TODO: double check should be unneccessary, refactor! if ts.${tn}.${cn}.rules or null != null then concatMapStringsSep "\n" (rule: "\n-A ${cn} ${rule}") ([] ++ map (buildRule tn cn) sortedRules ) else "" ; buildRule = tn: cn: rule: "${rule.predicate} -j ${rule.target}"; buildTable = tn: "*${tn}\n" + concatStringsSep "\n" ([] ++ map (declareChain ts."${tn}") (attrNames ts."${tn}") ) + #this looks dirty, find a better way to do this (maybe optionalString) concatStringsSep "" ([] ++ map (buildChain tn) (attrNames ts."${tn}") ) + "\nCOMMIT"; in concatStringsSep "\n" ([] ++ map buildTable (attrNames ts) ); #===== rules = iptables-version: pkgs.writeText "krebs-iptables-rules${iptables-version}" '' ${buildTables iptables-version cfg.tables} ''; startScript = pkgs.writeDash "krebs-iptables_start" '' set -euf iptables-restore < ${rules "v4"} ip6tables-restore < ${rules "v6"} ''; in out