public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

firewall: Allow setting rate limits for pings

Browse Source
This commit is contained in:
Shea Levy 2014-03-14 14:55:30 -04:00
parent 50d144278d
commit a0d574f19b
1 changed files with 14 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
nixos/modules/services/networking/firewall.nix
View File

@ -171,6 +171,17 @@ in
''; '';
}; };
networking.firewall.pingLimit = mkOption {
default = null;
type = types.nullOr (types.separatedString " ");
description =
''
If pings are allowed, this allows setting rate limits
on them. If non-null, this option should be in the form
of flags like "-limit 1/minute -limit-burst 5"
'';
};
networking.firewall.checkReversePath = mkOption { networking.firewall.checkReversePath = mkOption {
default = kernelHasRPFilter; default = kernelHasRPFilter;
type = types.bool; type = types.bool;
@ -375,7 +386,9 @@ in
# Optionally respond to ICMPv4 pings. # Optionally respond to ICMPv4 pings.
${optionalString cfg.allowPing '' ${optionalString cfg.allowPing ''
iptables -A nixos-fw -p icmp --icmp-type echo-request -j nixos-fw-accept iptables -A nixos-fw -p icmp --icmp-type echo-request ${optionalString (cfg.pingLimit != null)
"-m limit ${cfg.pingLimit} "
}-j nixos-fw-accept
''} ''}
# Accept all ICMPv6 messages except redirects and node # Accept all ICMPv6 messages except redirects and node