summary refs log tree commit diff
path: root/nixos
diff options
context:
space:
mode:
authorMaciej Krüger <mkg20001@gmail.com>2023-09-04 22:07:50 +0200
committerGitHub <noreply@github.com>2023-09-04 22:07:50 +0200
commitca6ed1cc8d4771d5d115d16b9f67157c658e36d8 (patch)
tree7107ab52fc29a91544f0542a636a993ad68cd3e0 /nixos
parent6a2fd5e262c552ad8c6b00b86af0a2d58cb7af0a (diff)
parent0ab3a1fd7888ce09e480787a0c6cd11bbfc97a7e (diff)
downloadnixpkgs-ca6ed1cc8d4771d5d115d16b9f67157c658e36d8.tar
nixpkgs-ca6ed1cc8d4771d5d115d16b9f67157c658e36d8.tar.gz
nixpkgs-ca6ed1cc8d4771d5d115d16b9f67157c658e36d8.tar.bz2
nixpkgs-ca6ed1cc8d4771d5d115d16b9f67157c658e36d8.tar.lz
nixpkgs-ca6ed1cc8d4771d5d115d16b9f67157c658e36d8.tar.xz
nixpkgs-ca6ed1cc8d4771d5d115d16b9f67157c658e36d8.tar.zst
nixpkgs-ca6ed1cc8d4771d5d115d16b9f67157c658e36d8.zip
Merge pull request #241680 from 4z3/networking.nftables.checkRulesetRedirects
Diffstat (limited to 'nixos')
-rw-r--r--nixos/modules/services/networking/nftables.nix22


1 files changed, 21 insertions, 1 deletions
diff --git a/nixos/modules/services/networking/nftables.nix b/nixos/modules/services/networking/nftables.nix
index 0e4cd6fa150..47159ade328 100644
--- a/nixos/modules/services/networking/nftables.nix
+++ b/nixos/modules/services/networking/nftables.nix
@@ -70,6 +70,26 @@ in
       '';
     };
 
+    networking.nftables.checkRulesetRedirects = mkOption {
+      type = types.addCheck (types.attrsOf types.path) (attrs: all types.path.check (attrNames attrs));
+      default = {
+        "/etc/hosts" = config.environment.etc.hosts.source;
+        "/etc/protocols" = config.environment.etc.protocols.source;
+        "/etc/services" = config.environment.etc.services.source;
+      };
+      defaultText = literalExpression ''
+        {
+          "/etc/hosts" = config.environment.etc.hosts.source;
+          "/etc/protocols" = config.environment.etc.protocols.source;
+          "/etc/services" = config.environment.etc.services.source;
+        }
+      '';
+      description = mdDoc ''
+        Set of paths that should be intercepted and rewritten while checking the ruleset
+        using `pkgs.buildPackages.libredirect`.
+      '';
+    };
+
     networking.nftables.preCheckRuleset = mkOption {
       type = types.lines;
       default = "";
@@ -282,7 +302,7 @@ in
             cp $out ruleset.conf
             sed 's|include "${deletionsScriptVar}"||' -i ruleset.conf
             ${cfg.preCheckRuleset}
-            export NIX_REDIRECTS=/etc/protocols=${pkgs.buildPackages.iana-etc}/etc/protocols:/etc/services=${pkgs.buildPackages.iana-etc}/etc/services
+            export NIX_REDIRECTS=${escapeShellArg (concatStringsSep ":" (mapAttrsToList (n: v: "${n}=${v}") cfg.checkRulesetRedirects))}
             LD_PRELOAD="${pkgs.buildPackages.libredirect}/lib/libredirect.so ${pkgs.buildPackages.lklWithFirewall.lib}/lib/liblkl-hijack.so" \
               ${pkgs.buildPackages.nftables}/bin/nft --check --file ruleset.conf
           '';

 

generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-06-29 08:35:46 +0000