diff options
author | Izorkin <izorkin@elven.pw> | 2019-08-19 20:21:24 +0300 |
---|---|---|
committer | Izorkin <izorkin@elven.pw> | 2019-09-03 21:49:55 +0300 |
commit | 32f6ce33eda127e643e9232863749b28a8429e17 (patch) | |
tree | 9feadc31b2a878cf1686169149e3958e3039b1cf /nixos | |
parent | 4deb74b760d43d28e9ce6c32fc54aa83cfffa684 (diff) | |
download | nixpkgs-32f6ce33eda127e643e9232863749b28a8429e17.tar nixpkgs-32f6ce33eda127e643e9232863749b28a8429e17.tar.gz nixpkgs-32f6ce33eda127e643e9232863749b28a8429e17.tar.bz2 nixpkgs-32f6ce33eda127e643e9232863749b28a8429e17.tar.lz nixpkgs-32f6ce33eda127e643e9232863749b28a8429e17.tar.xz nixpkgs-32f6ce33eda127e643e9232863749b28a8429e17.tar.zst nixpkgs-32f6ce33eda127e643e9232863749b28a8429e17.zip |
nixos/firewall: add package option
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/services/networking/firewall.nix | 14 |
1 files changed, 12 insertions, 2 deletions
diff --git a/nixos/modules/services/networking/firewall.nix b/nixos/modules/services/networking/firewall.nix index 5b3aa19af3b..a1755fd84d4 100644 --- a/nixos/modules/services/networking/firewall.nix +++ b/nixos/modules/services/networking/firewall.nix @@ -331,6 +331,16 @@ in ''; }; + package = mkOption { + type = types.package; + default = pkgs.iptables; + example = pkgs.iptables-compat; + description = + '' + The iptables package to use for running the firewall service." + ''; + }; + logRefusedConnections = mkOption { type = types.bool; default = true; @@ -536,7 +546,7 @@ in networking.firewall.trustedInterfaces = [ "lo" ]; - environment.systemPackages = [ pkgs.iptables ] ++ cfg.extraPackages; + environment.systemPackages = [ cfg.package ] ++ cfg.extraPackages; boot.kernelModules = (optional cfg.autoLoadConntrackHelpers "nf_conntrack") ++ map (x: "nf_conntrack_${x}") cfg.connectionTrackingModules; @@ -555,7 +565,7 @@ in before = [ "network-pre.target" ]; after = [ "systemd-modules-load.service" ]; - path = [ pkgs.iptables ] ++ cfg.extraPackages; + path = [ cfg.package ] ++ cfg.extraPackages; # FIXME: this module may also try to load kernel modules, but # containers don't have CAP_SYS_MODULE. So the host system had |