diff options
Diffstat (limited to 'nixpkgs/nixos/modules/services/networking/firewall.nix')
-rw-r--r-- | nixpkgs/nixos/modules/services/networking/firewall.nix | 30 |
1 files changed, 16 insertions, 14 deletions
diff --git a/nixpkgs/nixos/modules/services/networking/firewall.nix b/nixpkgs/nixos/modules/services/networking/firewall.nix index 5b3aa19af3bb..15aaf7410674 100644 --- a/nixpkgs/nixos/modules/services/networking/firewall.nix +++ b/nixpkgs/nixos/modules/services/networking/firewall.nix @@ -42,16 +42,7 @@ let kernelHasRPFilter = ((kernel.config.isEnabled or (x: false)) "IP_NF_MATCH_RPFILTER") || (kernel.features.netfilterRPFilter or false); - helpers = - '' - # Helper command to manipulate both the IPv4 and IPv6 tables. - ip46tables() { - iptables -w "$@" - ${optionalString config.networking.enableIPv6 '' - ip6tables -w "$@" - ''} - } - ''; + helpers = import ./helpers.nix { inherit config lib; }; writeShScript = name: text: let dir = pkgs.writeScriptBin name '' #! ${pkgs.runtimeShell} -e @@ -271,7 +262,7 @@ let apply = canonicalizePortList; example = [ 22 80 ]; description = - '' + '' List of TCP ports on which incoming connections are accepted. ''; @@ -282,7 +273,7 @@ let default = [ ]; example = [ { from = 8999; to = 9003; } ]; description = - '' + '' A range of TCP ports on which incoming connections are accepted. ''; @@ -331,6 +322,17 @@ in ''; }; + package = mkOption { + type = types.package; + default = pkgs.iptables; + defaultText = "pkgs.iptables"; + example = literalExample "pkgs.iptables-nftables-compat"; + description = + '' + The iptables package to use for running the firewall service." + ''; + }; + logRefusedConnections = mkOption { type = types.bool; default = true; @@ -536,7 +538,7 @@ in networking.firewall.trustedInterfaces = [ "lo" ]; - environment.systemPackages = [ pkgs.iptables ] ++ cfg.extraPackages; + environment.systemPackages = [ cfg.package ] ++ cfg.extraPackages; boot.kernelModules = (optional cfg.autoLoadConntrackHelpers "nf_conntrack") ++ map (x: "nf_conntrack_${x}") cfg.connectionTrackingModules; @@ -555,7 +557,7 @@ in before = [ "network-pre.target" ]; after = [ "systemd-modules-load.service" ]; - path = [ pkgs.iptables ] ++ cfg.extraPackages; + path = [ cfg.package ] ++ cfg.extraPackages; # FIXME: this module may also try to load kernel modules, but # containers don't have CAP_SYS_MODULE. So the host system had |