public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nixos/firewall: Add the ability to specify additional packages for extraCommands

Browse Source
This commit is contained in:
William A. Kennington III 2015-07-26 16:32:59 -07:00
parent f07b2121f9
commit abc7c1b013
1 changed files with 12 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
nixos/modules/services/networking/firewall.nix
View File

@ -420,6 +420,16 @@ in
''; '';
}; };
networking.firewall.extraPackages = mkOption {
default = [ ];
example = [ pkgs.ipset ];
description =
''
Additional packages to be included in the environment of the system
as well as the path of networking.firewall.extraCommands.
'';
};
networking.firewall.extraStopCommands = mkOption { networking.firewall.extraStopCommands = mkOption {
type = types.lines; type = types.lines;
default = ""; default = "";
@ -443,7 +453,7 @@ in
networking.firewall.trustedInterfaces = [ "lo" ]; networking.firewall.trustedInterfaces = [ "lo" ];
environment.systemPackages = [ pkgs.iptables ]; environment.systemPackages = [ pkgs.iptables ] ++ cfg.extraPackages;
boot.kernelModules = map (x: "nf_conntrack_${x}") cfg.connectionTrackingModules; boot.kernelModules = map (x: "nf_conntrack_${x}") cfg.connectionTrackingModules;
boot.extraModprobeConfig = optionalString (!cfg.autoLoadConntrackHelpers) '' boot.extraModprobeConfig = optionalString (!cfg.autoLoadConntrackHelpers) ''
@ -462,7 +472,7 @@ in
before = [ "network-pre.target" ]; before = [ "network-pre.target" ];
after = [ "systemd-modules-load.service" ]; after = [ "systemd-modules-load.service" ];
path = [ pkgs.iptables ]; path = [ pkgs.iptables ] ++ cfg.extraPackages;
# FIXME: this module may also try to load kernel modules, but # FIXME: this module may also try to load kernel modules, but
# containers don't have CAP_SYS_MODULE. So the host system had # containers don't have CAP_SYS_MODULE. So the host system had