diff --git a/lib/default.nix b/lib/default.nix
index 347830e8c..8ba55b571 100644
--- a/lib/default.nix
+++ b/lib/default.nix
@@ -9,6 +9,7 @@ let
     krops = import ../submodules/krops/lib;
     shell = import ./shell.nix { inherit lib; };
     types = nixpkgs-lib.types // import ./types.nix { inherit lib; };
+    xml = import ./xml.nix { inherit lib; };
 
     eq = x: y: x == y;
     ne = x: y: x != y;
@@ -145,6 +146,11 @@ let
     in
       filter (x: x != []) ([acc.chunk] ++ acc.chunks);
 
+    warnOldVersion = oldName: newName:
+      if compareVersions oldName newName != -1 then
+        trace "Upstream `${oldName}' gets overridden by `${newName}'." newName
+      else
+        newName;
   };
 in
 
diff --git a/lib/xml.nix b/lib/xml.nix
new file mode 100644
index 000000000..16052445b
--- /dev/null
+++ b/lib/xml.nix
@@ -0,0 +1,88 @@
+{ lib }:
+with lib;
+with builtins;
+rec {
+
+  # Use `term` to construct XML.
+  #
+  # Examples:
+  #
+  #   (term "bool" null null)
+  #   (term "cool" null [])
+  #   (term "fool" { hurr = "durr"; } null)
+  #   (term "hool" null [
+  #     (term "tool" null null)
+  #   ])
+  #
+  # See `render` for how these get transformed into actuall XML documents.
+  #
+  term = name: attrs: content: {
+    inherit name attrs content;
+  };
+
+  empty = term null null null;
+
+  # Ref http://www.w3.org/TR/xml/#syntax
+  #
+  # Example:
+  #
+  #   (quote "<cheez!>")                 #===>   &lt;cheez!&gt;
+  #
+  quote = let
+    sub = {
+      "&" = "&amp;";
+      "<" = "&lt;";
+      ">" = "&gt;";
+      "'" = "&apos;";
+      "\"" = "&quot;";
+    };
+  in
+    stringAsChars (c: sub.${c} or c);
+
+  # Turn an XML element to an XML document string.
+  doc = t:
+    "<?xml version='1.0' encoding='UTF-8'?>${render t}";
+
+  # Render an XML element to a string.
+  #
+  # Rendering `empty` yields the empty string.
+  #
+  # Examples:
+  #
+  #   (term "bool" null null)                 #===>   <bool/>
+  #   (term "cool" null [])                   #===>   <cool></cool>
+  #   (term "fool" { hurr = "durr"; } null)   #===>   <fool hurr="durr"/>
+  #   (term "hool" null [
+  #     (term "tool" null null)
+  #   ])                                      #===>   <hool><tool/></hool>
+  #
+  render = let
+    render-attrs = attrs:
+      getAttr (typeOf attrs) {
+        null = "";
+        set = concatStrings (mapAttrsToList (n: v: " ${n}=\"${v}\"") attrs);
+      };
+
+    render-content = content:
+      getAttr (typeOf content) {
+        bool = toJSON content;
+        int = toJSON content;
+        list = concatMapStrings render content;
+        string = quote content;
+      };
+  in
+    { name, attrs, content }:
+    # XXX we're currently encoding too much information with `null`..
+    if name == null
+      then
+        if content == null
+          then ""
+          else content
+      else let
+        attrs' = render-attrs attrs;
+        content' = render-content content;
+      in
+        if content == null
+          then "<${name}${attrs'}/>"
+          else "<${name}${attrs'}>${content'}</${name}>";
+}
diff --git a/tv/3modules/iptables.nix b/tv/3modules/iptables.nix
index 56861dc74..3974760d5 100644
--- a/tv/3modules/iptables.nix
+++ b/tv/3modules/iptables.nix
@@ -9,6 +9,37 @@ let {
     config = lib.mkIf cfg.enable imp;
   };
 
+  extraTypes = {
+    rules = types.submodule {
+      options = {
+        nat.OUTPUT = mkOption {
+          type = with types; listOf str;
+          default = [];
+        };
+        nat.PREROUTING = mkOption {
+          type = with types; listOf str;
+          default = [];
+        };
+        nat.POSTROUTING = mkOption {
+          type = with types; listOf str;
+          default = [];
+        };
+        filter.FORWARD = mkOption {
+          type = with types; listOf str;
+          default = [];
+        };
+        filter.INPUT = mkOption {
+          type = with types; listOf str;
+          default = [];
+        };
+        filter.Retiolum = mkOption {
+          type = with types; listOf str;
+          default = [];
+        };
+      };
+    };
+  };
+
   api = {
     enable = mkEnableOption "tv.iptables";
 
@@ -37,19 +68,19 @@ let {
       default = [];
     };
 
-    extra = {
-      nat.POSTROUTING = mkOption {
-        type = with types; listOf str;
-        default = [];
-      };
-      filter.FORWARD = mkOption {
-        type = with types; listOf str;
-        default = [];
-      };
-      filter.INPUT = mkOption {
-        type = with types; listOf str;
-        default = [];
-      };
+    extra = mkOption {
+      default = {};
+      type = extraTypes.rules;
+    };
+
+    extra4 = mkOption {
+      default = {};
+      type = extraTypes.rules;
+    };
+
+    extra6 = mkOption {
+      default = {};
+      type = extraTypes.rules;
     };
   };
 
@@ -112,6 +143,7 @@ let {
         "-o lo -p tcp -m tcp --dport 11423 -j REDIRECT --to-ports 22"
       ]}
       ${formatTable cfg.extra.nat}
+      ${formatTable cfg."extra${toString iptables-version}".nat}
       COMMIT
       *filter
       :INPUT DROP [0:0]
@@ -129,6 +161,7 @@ let {
         ++ ["-i retiolum -j Retiolum"]
       )}
       ${formatTable cfg.extra.filter}
+      ${formatTable cfg."extra${toString iptables-version}".filter}
       ${concatMapStringsSep "\n" (rule: "-A Retiolum ${rule}") ([]
         ++ optional (cfg.accept-echo-request == "retiolum") accept-echo-request
         ++ map accept-tcp (unique (map toString cfg.input-retiolum-accept-tcp))
diff --git a/tv/5pkgs/simple/bash-fzf-history.nix b/tv/5pkgs/simple/bash-fzf-history.nix
index b603dedd9..88a8e9e4a 100644
--- a/tv/5pkgs/simple/bash-fzf-history.nix
+++ b/tv/5pkgs/simple/bash-fzf-history.nix
@@ -97,7 +97,6 @@ with import <stockholm/lib>;
     bind -s | ${pkgs.gnugrep}/bin/grep __fzf_ >&2
   '';
 in
-  script //
-  rec {
+  script.overrideAttrs (old: rec {
     bind = /* sh */ ''bind -x '"${load-keyseq}": . ${script}' '';
-  }
+  })