diff options
author | Maciej Krüger <mkg20001@gmail.com> | 2023-09-04 22:07:50 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-09-04 22:07:50 +0200 |
commit | ca6ed1cc8d4771d5d115d16b9f67157c658e36d8 (patch) | |
tree | 7107ab52fc29a91544f0542a636a993ad68cd3e0 /nixos | |
parent | 6a2fd5e262c552ad8c6b00b86af0a2d58cb7af0a (diff) | |
parent | 0ab3a1fd7888ce09e480787a0c6cd11bbfc97a7e (diff) | |
download | nixpkgs-ca6ed1cc8d4771d5d115d16b9f67157c658e36d8.tar nixpkgs-ca6ed1cc8d4771d5d115d16b9f67157c658e36d8.tar.gz nixpkgs-ca6ed1cc8d4771d5d115d16b9f67157c658e36d8.tar.bz2 nixpkgs-ca6ed1cc8d4771d5d115d16b9f67157c658e36d8.tar.lz nixpkgs-ca6ed1cc8d4771d5d115d16b9f67157c658e36d8.tar.xz nixpkgs-ca6ed1cc8d4771d5d115d16b9f67157c658e36d8.tar.zst nixpkgs-ca6ed1cc8d4771d5d115d16b9f67157c658e36d8.zip |
Merge pull request #241680 from 4z3/networking.nftables.checkRulesetRedirects
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/services/networking/nftables.nix | 22 |
1 files changed, 21 insertions, 1 deletions
diff --git a/nixos/modules/services/networking/nftables.nix b/nixos/modules/services/networking/nftables.nix index 0e4cd6fa150..47159ade328 100644 --- a/nixos/modules/services/networking/nftables.nix +++ b/nixos/modules/services/networking/nftables.nix @@ -70,6 +70,26 @@ in ''; }; + networking.nftables.checkRulesetRedirects = mkOption { + type = types.addCheck (types.attrsOf types.path) (attrs: all types.path.check (attrNames attrs)); + default = { + "/etc/hosts" = config.environment.etc.hosts.source; + "/etc/protocols" = config.environment.etc.protocols.source; + "/etc/services" = config.environment.etc.services.source; + }; + defaultText = literalExpression '' + { + "/etc/hosts" = config.environment.etc.hosts.source; + "/etc/protocols" = config.environment.etc.protocols.source; + "/etc/services" = config.environment.etc.services.source; + } + ''; + description = mdDoc '' + Set of paths that should be intercepted and rewritten while checking the ruleset + using `pkgs.buildPackages.libredirect`. + ''; + }; + networking.nftables.preCheckRuleset = mkOption { type = types.lines; default = ""; @@ -282,7 +302,7 @@ in cp $out ruleset.conf sed 's|include "${deletionsScriptVar}"||' -i ruleset.conf ${cfg.preCheckRuleset} - export NIX_REDIRECTS=/etc/protocols=${pkgs.buildPackages.iana-etc}/etc/protocols:/etc/services=${pkgs.buildPackages.iana-etc}/etc/services + export NIX_REDIRECTS=${escapeShellArg (concatStringsSep ":" (mapAttrsToList (n: v: "${n}=${v}") cfg.checkRulesetRedirects))} LD_PRELOAD="${pkgs.buildPackages.libredirect}/lib/libredirect.so ${pkgs.buildPackages.lklWithFirewall.lib}/lib/liblkl-hijack.so" \ ${pkgs.buildPackages.nftables}/bin/nft --check --file ruleset.conf ''; |