diff options
author | Graham Christensen <graham@grahamc.com> | 2016-08-25 20:38:02 -0400 |
---|---|---|
committer | GitHub <noreply@github.com> | 2016-08-25 20:38:02 -0400 |
commit | 8d10928ad0913936ca844293cacc3c9af67d419a (patch) | |
tree | c446b66c8e90ca543d24d4d329ae6d83df50e946 | |
parent | c011aa86ab62c90720304cb8218d4fa505cd8cf5 (diff) | |
parent | 7b354ce8cc774d8a354950bb0ae494f763331410 (diff) | |
download | nixlib-8d10928ad0913936ca844293cacc3c9af67d419a.tar nixlib-8d10928ad0913936ca844293cacc3c9af67d419a.tar.gz nixlib-8d10928ad0913936ca844293cacc3c9af67d419a.tar.bz2 nixlib-8d10928ad0913936ca844293cacc3c9af67d419a.tar.lz nixlib-8d10928ad0913936ca844293cacc3c9af67d419a.tar.xz nixlib-8d10928ad0913936ca844293cacc3c9af67d419a.tar.zst nixlib-8d10928ad0913936ca844293cacc3c9af67d419a.zip |
Merge pull request #17908 from Mic92/ferm
Ferm
-rw-r--r-- | lib/maintainers.nix | 1 | ||||
-rw-r--r-- | nixos/modules/module-list.nix | 1 | ||||
-rw-r--r-- | nixos/modules/services/networking/ferm.nix | 63 | ||||
-rw-r--r-- | pkgs/tools/networking/ferm/default.nix | 38 | ||||
-rw-r--r-- | pkgs/top-level/all-packages.nix | 2 |
5 files changed, 105 insertions, 0 deletions
diff --git a/lib/maintainers.nix b/lib/maintainers.nix index def9709d1ee8..b9fd905dd54d 100644 --- a/lib/maintainers.nix +++ b/lib/maintainers.nix @@ -249,6 +249,7 @@ mcmtroffaes = "Matthias C. M. Troffaes <matthias.troffaes@gmail.com>"; meditans = "Carlo Nucera <meditans@gmail.com>"; meisternu = "Matt Miemiec <meister@krutt.org>"; + mic92 = "Jörg Thalheim <joerg@higgsboson.tk>"; michaelpj = "Michael Peyton Jones <michaelpj@gmail.com>"; michalrus = "Michal Rus <m@michalrus.com>"; michelk = "Michel Kuhlmann <michel@kuhlmanns.info>"; diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index eb89ff83e2ce..dfc1d694e976 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -335,6 +335,7 @@ ./services/networking/docker-registry-server.nix ./services/networking/ejabberd.nix ./services/networking/fan.nix + ./services/networking/ferm.nix ./services/networking/firefox/sync-server.nix ./services/networking/firewall.nix ./services/networking/flashpolicyd.nix diff --git a/nixos/modules/services/networking/ferm.nix b/nixos/modules/services/networking/ferm.nix new file mode 100644 index 000000000000..6271e82541f4 --- /dev/null +++ b/nixos/modules/services/networking/ferm.nix @@ -0,0 +1,63 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.ferm; + + configFile = pkgs.stdenv.mkDerivation { + name = "ferm.conf"; + text = cfg.config; + preferLocalBuild = true; + buildCommand = '' + echo -n "$text" > $out + ${cfg.package}/bin/ferm --noexec $out + ''; + }; +in { + options = { + services.ferm = { + enable = mkOption { + default = false; + example = true; + type = types.bool; + description = '' + Whether to enable Ferm Firewall. + *Warning*: Enabling this service WILL disable the existing NixOS + firewall! Default firewall rules provided by packages are not + considered at the moment. + ''; + }; + config = mkOption { + description = "Verbatim ferm.conf configuration."; + default = ""; + defaultText = "empty firewall, allows any traffic"; + type = types.lines; + }; + package = mkOption { + description = "The ferm package."; + type = types.package; + default = pkgs.ferm; + defaultText = "pkgs.ferm"; + }; + }; + }; + + config = mkIf cfg.enable { + systemd.services.firewall.enable = false; + systemd.services.ferm = { + description = "Ferm Firewall"; + after = [ "ipset.target" ]; + before = [ "network-pre.target" ]; + wants = [ "network-pre.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + Type="oneshot"; + RemainAfterExit = "yes"; + ExecStart = "${cfg.package}/bin/ferm ${configFile}"; + ExecReload = "${cfg.package}/bin/ferm ${configFile}"; + ExecStop = "${cfg.package}/bin/ferm -F ${configFile}"; + }; + }; + }; +} diff --git a/pkgs/tools/networking/ferm/default.nix b/pkgs/tools/networking/ferm/default.nix new file mode 100644 index 000000000000..f4cf387ecc52 --- /dev/null +++ b/pkgs/tools/networking/ferm/default.nix @@ -0,0 +1,38 @@ +{ stdenv, fetchurl, makeWrapper, perl, ebtables, ipset, iptables }: + +stdenv.mkDerivation rec { + version = "2.3"; + name = "ferm-${version}"; + + src = fetchurl { + url = "http://ferm.foo-projects.org/download/${version}/ferm-${version}.tar.gz"; + sha256 = "0jx63fhjw5y1ahgdbn4hgd7sq6clxl80dr8a2hkryibfbwz3vs4x"; + }; + + buildInputs = [ perl ipset ebtables iptables makeWrapper ]; + preConfigure = '' + substituteInPlace config.mk --replace "PERL = /usr/bin/perl" "PERL = ${perl}/bin/perl" + substituteInPlace config.mk --replace "PREFIX = /usr" "PREFIX = $out" + ''; + postInstall = '' + rm -r $out/lib/systemd + for i in "$out/sbin/"*; do + wrapProgram "$i" --prefix PATH : "${iptables}/bin:${ipset}/bin:${ebtables}/bin" + done + ''; + + meta = { + homepage = http://ferm.foo-projects.org/; + description = "Tool to maintain complex firewalls"; + longDescription = '' + ferm is a tool to maintain complex firewalls, without having the trouble to + rewrite the complex rules over and over again. ferm allows the entire + firewall rule set to be stored in a separate file, and to be loaded with one + command. The firewall configuration resembles structured programming-like + language, which can contain levels and lists. + ''; + license = stdenv.lib.licenses.gpl2; + maintainers = with stdenv.lib.maintainers; [mic92]; + platforms = stdenv.lib.platforms.linux; + }; +} diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index aee6c3832795..bf7a61f44ed5 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -1556,6 +1556,8 @@ in fdm = callPackage ../tools/networking/fdm {}; + ferm = callPackage ../tools/networking/ferm { }; + fgallery = callPackage ../tools/graphics/fgallery { inherit (perlPackages) ImageExifTool JSON; }; |