nixos/firewall: add package option

This commit is contained in:
Izorkin 2019-08-19 20:21:24 +03:00
parent 4deb74b760
commit 32f6ce33ed

View File

@ -331,6 +331,16 @@ in
''; '';
}; };
package = mkOption {
type = types.package;
default = pkgs.iptables;
example = pkgs.iptables-compat;
description =
''
The iptables package to use for running the firewall service."
'';
};
logRefusedConnections = mkOption { logRefusedConnections = mkOption {
type = types.bool; type = types.bool;
default = true; default = true;
@ -536,7 +546,7 @@ in
networking.firewall.trustedInterfaces = [ "lo" ]; networking.firewall.trustedInterfaces = [ "lo" ];
environment.systemPackages = [ pkgs.iptables ] ++ cfg.extraPackages; environment.systemPackages = [ cfg.package ] ++ cfg.extraPackages;
boot.kernelModules = (optional cfg.autoLoadConntrackHelpers "nf_conntrack") boot.kernelModules = (optional cfg.autoLoadConntrackHelpers "nf_conntrack")
++ map (x: "nf_conntrack_${x}") cfg.connectionTrackingModules; ++ map (x: "nf_conntrack_${x}") cfg.connectionTrackingModules;
@ -555,7 +565,7 @@ in
before = [ "network-pre.target" ]; before = [ "network-pre.target" ];
after = [ "systemd-modules-load.service" ]; after = [ "systemd-modules-load.service" ];
path = [ pkgs.iptables ] ++ cfg.extraPackages; path = [ cfg.package ] ++ cfg.extraPackages;
# FIXME: this module may also try to load kernel modules, but # FIXME: this module may also try to load kernel modules, but
# containers don't have CAP_SYS_MODULE. So the host system had # containers don't have CAP_SYS_MODULE. So the host system had