* Firewall: add an option to allow extra firewall rules to be added.

* Firewall: change the policy of the INPUT chain back to ACCEPT to prevent a lockup when the Nix store is mounted over the network (i.e. in our VM tests). This is because as soon as the policy is set to DROP, the iptables modules that enable access to the network filesystem cannot be acccessed anymore. svn path=/nixos/trunk/; revision=26274
2011-03-11 13:04:17 +00:00 · 2011-03-11 13:04:17 +00:00 · 005ca15f64
parent 6160100a9a
commit 005ca15f64
1 changed files with 15 additions and 1 deletions
--- a/modules/services/networking/firewall.nix
+++ b/modules/services/networking/firewall.nix
@ -89,6 +89,18 @@ in
        '';
    };
  
+    networking.firewall.extraCommands = mkOption {
+      default = "";
+      example = "iptables -A INPUT -p icmp -j ACCEPT";
+      description =
+        ''
+          Additional shell commands executed as part of the firewall
+          initialisation script.  These are executed just before the
+          final "reject" firewall rule is added, so they can be used
+          to allow packets that would otherwise be refused.
+        '';
+    };
+  
  };


@ -119,7 +131,7 @@ in
            ip46tables -F INPUT
            ip46tables -F FW_REFUSE || true
            ip46tables -X # flush unused chains
-            ip46tables -P INPUT DROP
+            ip46tables -P INPUT ACCEPT


            # The "FW_REFUSE" chain performs logging and
@ -174,6 +186,8 @@ in
            ip6tables -A INPUT -p icmpv6 --icmpv6-type 139 -j DROP
            ip6tables -A INPUT -p icmpv6 -j ACCEPT

+            ${cfg.extraCommands}
+
            # Reject/drop everything else.
            ip46tables -A INPUT -j FW_REFUSE
          '';