* Firewall: add an option to allow extra firewall rules to be added.

* Firewall: change the policy of the INPUT chain back to ACCEPT to
  prevent a lockup when the Nix store is mounted over the network
  (i.e. in our VM tests).  This is because as soon as the policy is
  set to DROP, the iptables modules that enable access to the network
  filesystem cannot be acccessed anymore.

svn path=/nixos/trunk/; revision=26274

1 files changed, 15 insertions, 1 deletions

diff --git a/modules/services/networking/firewall.nix b/modules/services/networking/firewall.nix
index 15e937b6736..287a2e472cd 100644
--- a/modules/services/networking/firewall.nix
+++ b/modules/services/networking/firewall.nix
@@ -89,6 +89,18 @@ in
         '';
     };
   
+    networking.firewall.extraCommands = mkOption {
+      default = "";
+      example = "iptables -A INPUT -p icmp -j ACCEPT";
+      description =
+        ''
+          Additional shell commands executed as part of the firewall
+          initialisation script.  These are executed just before the
+          final "reject" firewall rule is added, so they can be used
+          to allow packets that would otherwise be refused.
+        '';
+    };
+  
   };
 
 
@@ -119,7 +131,7 @@ in
             ip46tables -F INPUT
             ip46tables -F FW_REFUSE || true
             ip46tables -X # flush unused chains
-            ip46tables -P INPUT DROP
+            ip46tables -P INPUT ACCEPT
 
 
             # The "FW_REFUSE" chain performs logging and
@@ -174,6 +186,8 @@ in
             ip6tables -A INPUT -p icmpv6 --icmpv6-type 139 -j DROP
             ip6tables -A INPUT -p icmpv6 -j ACCEPT
 
+            ${cfg.extraCommands}
+
             # Reject/drop everything else.
             ip46tables -A INPUT -j FW_REFUSE
           '';