diff options
| -rw-r--r-- | nixos/modules/module-list.nix | 1 | ||||
| -rw-r--r-- | nixos/modules/services/networking/ferm.nix | 63 | ||||
| -rw-r--r-- | pkgs/tools/networking/ferm/default.nix | 38 | ||||
| -rw-r--r-- | pkgs/top-level/all-packages.nix | 2 |
4 files changed, 104 insertions, 0 deletions
diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index eb89ff83e2ce..dfc1d694e976 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -335,6 +335,7 @@ ./services/networking/docker-registry-server.nix ./services/networking/ejabberd.nix ./services/networking/fan.nix + ./services/networking/ferm.nix ./services/networking/firefox/sync-server.nix ./services/networking/firewall.nix ./services/networking/flashpolicyd.nix diff --git a/nixos/modules/services/networking/ferm.nix b/nixos/modules/services/networking/ferm.nix new file mode 100644 index 000000000000..6271e82541f4 --- /dev/null +++ b/nixos/modules/services/networking/ferm.nix @@ -0,0 +1,63 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.ferm; + + configFile = pkgs.stdenv.mkDerivation { + name = "ferm.conf"; + text = cfg.config; + preferLocalBuild = true; + buildCommand = '' + echo -n "$text" > $out + ${cfg.package}/bin/ferm --noexec $out + ''; + }; +in { + options = { + services.ferm = { + enable = mkOption { + default = false; + example = true; + type = types.bool; + description = '' + Whether to enable Ferm Firewall. + *Warning*: Enabling this service WILL disable the existing NixOS + firewall! Default firewall rules provided by packages are not + considered at the moment. + ''; + }; + config = mkOption { + description = "Verbatim ferm.conf configuration."; + default = ""; + defaultText = "empty firewall, allows any traffic"; + type = types.lines; + }; + package = mkOption { + description = "The ferm package."; + type = types.package; + default = pkgs.ferm; + defaultText = "pkgs.ferm"; + }; + }; + }; + + config = mkIf cfg.enable { + systemd.services.firewall.enable = false; + systemd.services.ferm = { + description = "Ferm Firewall"; + after = [ "ipset.target" ]; + before = [ "network-pre.target" ]; + wants = [ "network-pre.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + Type="oneshot"; + RemainAfterExit = "yes"; + ExecStart = "${cfg.package}/bin/ferm ${configFile}"; + ExecReload = "${cfg.package}/bin/ferm ${configFile}"; + ExecStop = "${cfg.package}/bin/ferm -F ${configFile}"; + }; + }; + }; +} diff --git a/pkgs/tools/networking/ferm/default.nix b/pkgs/tools/networking/ferm/default.nix new file mode 100644 index 000000000000..f4cf387ecc52 --- /dev/null +++ b/pkgs/tools/networking/ferm/default.nix @@ -0,0 +1,38 @@ +{ stdenv, fetchurl, makeWrapper, perl, ebtables, ipset, iptables }: + +stdenv.mkDerivation rec { + version = "2.3"; + name = "ferm-${version}"; + + src = fetchurl { + url = "http://ferm.foo-projects.org/download/${version}/ferm-${version}.tar.gz"; + sha256 = "0jx63fhjw5y1ahgdbn4hgd7sq6clxl80dr8a2hkryibfbwz3vs4x"; + }; + + buildInputs = [ perl ipset ebtables iptables makeWrapper ]; + preConfigure = '' + substituteInPlace config.mk --replace "PERL = /usr/bin/perl" "PERL = ${perl}/bin/perl" + substituteInPlace config.mk --replace "PREFIX = /usr" "PREFIX = $out" + ''; + postInstall = '' + rm -r $out/lib/systemd + for i in "$out/sbin/"*; do + wrapProgram "$i" --prefix PATH : "${iptables}/bin:${ipset}/bin:${ebtables}/bin" + done + ''; + + meta = { + homepage = http://ferm.foo-projects.org/; + description = "Tool to maintain complex firewalls"; + longDescription = '' + ferm is a tool to maintain complex firewalls, without having the trouble to + rewrite the complex rules over and over again. ferm allows the entire + firewall rule set to be stored in a separate file, and to be loaded with one + command. The firewall configuration resembles structured programming-like + language, which can contain levels and lists. + ''; + license = stdenv.lib.licenses.gpl2; + maintainers = with stdenv.lib.maintainers; [mic92]; + platforms = stdenv.lib.platforms.linux; + }; +} diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 2666b2c3cb08..21bda8f3dc9e 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -1552,6 +1552,8 @@ in fdm = callPackage ../tools/networking/fdm {}; + ferm = callPackage ../tools/networking/ferm { }; + fgallery = callPackage ../tools/graphics/fgallery { inherit (perlPackages) ImageExifTool JSON; }; |