From eb7d02406476e1b4002f05d4ac106593ce4e29ce Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 26 Nov 2016 19:09:34 +0100 Subject: k 3 iptables: remove obsolete asserts & style --- krebs/3modules/iptables.nix | 40 +++++++--------------------------------- 1 file changed, 7 insertions(+), 33 deletions(-) (limited to 'krebs/3modules/iptables.nix') diff --git a/krebs/3modules/iptables.nix b/krebs/3modules/iptables.nix index b610ff3d1..d48ff6f2b 100644 --- a/krebs/3modules/iptables.nix +++ b/krebs/3modules/iptables.nix @@ -1,5 +1,7 @@ { config, lib, pkgs, ... }: +with import ; + let inherit (pkgs) writeText; @@ -7,27 +9,6 @@ let elem ; - inherit (lib) - concatMapStringsSep - concatStringsSep - attrNames - unique - fold - any - attrValues - catAttrs - filter - flatten - length - hasAttr - hasPrefix - mkEnableOption - mkOption - mkIf - types - sort - ; - cfg = config.krebs.iptables; out = { @@ -93,7 +74,7 @@ let Type = "simple"; RemainAfterExit = true; Restart = "always"; - ExecStart = "@${startScript} krebs-iptables_start"; + ExecStart = startScript; }; }; }; @@ -123,13 +104,6 @@ let buildRule = tn: cn: rule: - #target validation test: - assert (elem rule.target ([ "ACCEPT" "REJECT" "DROP" "QUEUE" "LOG" "RETURN" ] ++ (attrNames ts."${tn}"))) || hasPrefix "REDIRECT" rule.target || hasPrefix "DNAT" rule.target; - - #predicate validation test: - #maybe use iptables-test - #TODO: howto exit with evaluation error by shellscript? - #apperantly not possible from nix because evalatution wouldn't be deterministic. "${rule.predicate} -j ${rule.target}"; buildTable = tn: @@ -149,7 +123,7 @@ let #===== - rules4 = iptables-version: + rules = iptables-version: let #TODO: find out good defaults. tables-defaults = { @@ -171,14 +145,14 @@ let tables = tables-defaults // cfg.tables; in - writeText "krebs-iptables-rules${toString iptables-version}" '' + pkgs.writeText "krebs-iptables-rules${iptables-version}" '' ${buildTables iptables-version tables} ''; startScript = pkgs.writeDash "krebs-iptables_start" '' set -euf - iptables-restore < ${rules4 4} - ip6tables-restore < ${rules4 6} + iptables-restore < ${rules "v4"} + ip6tables-restore < ${rules "v6"} ''; in -- cgit v1.2.3 From 2070da74ab09d5dacaf62c3d8a72adab41c0be37 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 26 Nov 2016 19:10:02 +0100 Subject: k 3 iptables: add v4 and v6 options per rule --- krebs/3modules/iptables.nix | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) (limited to 'krebs/3modules/iptables.nix') diff --git a/krebs/3modules/iptables.nix b/krebs/3modules/iptables.nix index d48ff6f2b..a4a4de6f9 100644 --- a/krebs/3modules/iptables.nix +++ b/krebs/3modules/iptables.nix @@ -46,6 +46,14 @@ let type = int; default = 0; }; + v4 = mkOption { + type = bool; + default = true; + }; + v6 = mkOption { + type = bool; + default = true; + }; }; }))); default = null; @@ -90,7 +98,8 @@ let buildChain = tn: cn: let - sortedRules = sort (a: b: a.precedence > b.precedence) ts."${tn}"."${cn}".rules; + filteredRules = filter (r: r."${v}") ts."${tn}"."${cn}".rules; + sortedRules = sort (a: b: a.precedence > b.precedence) filteredRules; in #TODO: double check should be unneccessary, refactor! -- cgit v1.2.3 [cgit] Unable to lock slot /tmp/cgit/5c100000.lock: No such file or directory (2)