* Add an option to enable the firewall. It should eventually be

  enabled by default.

svn path=/nixos/branches/modular-nixos/; revision=16464

1 files changed, 17 insertions, 4 deletions

diff --git a/modules/services/networking/firewall.nix b/modules/services/networking/firewall.nix
index a6a5f8fec2b..ef6b3a94472 100644
--- a/modules/services/networking/firewall.nix
+++ b/modules/services/networking/firewall.nix
@@ -12,6 +12,14 @@ in
 
   options = {
   
+    networking.firewall.enable = pkgs.lib.mkOption {
+      default = false;
+      description =
+        ''
+          Whether to enable the firewall.
+        '';
+    };
+  
     networking.firewall.allowedTCPPorts = pkgs.lib.mkOption {
       default = [];
       example = [22 80];
@@ -27,14 +35,21 @@ in
 
 
   ###### implementation
-  
-  config = {
+
+  # !!! Maybe if `enable' is false, the firewall should still be built
+  # but not started by default.  However, currently nixos-rebuild
+  # doesn't deal with such Upstart jobs properly (it starts them if
+  # they are changed, regardless of whether the start condition
+  # holds).
+  config = pkgs.lib.mkIf config.networking.firewall.enable {
 
     environment.systemPackages = [pkgs.iptables];
 
     jobs = pkgs.lib.singleton
       { name = "firewall";
 
+        startOn = "network-interfaces/started";
+
         preStart =
           ''
             ${iptables} -F
@@ -63,8 +78,6 @@ in
           '';     
       };
 
-    networking.firewall.allowedTCPPorts = [22];
-    
   };
 
 }