nixos/firewall: add package option
This commit is contained in:
parent
4deb74b760
commit
32f6ce33ed
@ -331,6 +331,16 @@ in
|
|||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
package = mkOption {
|
||||||
|
type = types.package;
|
||||||
|
default = pkgs.iptables;
|
||||||
|
example = pkgs.iptables-compat;
|
||||||
|
description =
|
||||||
|
''
|
||||||
|
The iptables package to use for running the firewall service."
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
logRefusedConnections = mkOption {
|
logRefusedConnections = mkOption {
|
||||||
type = types.bool;
|
type = types.bool;
|
||||||
default = true;
|
default = true;
|
||||||
@ -536,7 +546,7 @@ in
|
|||||||
|
|
||||||
networking.firewall.trustedInterfaces = [ "lo" ];
|
networking.firewall.trustedInterfaces = [ "lo" ];
|
||||||
|
|
||||||
environment.systemPackages = [ pkgs.iptables ] ++ cfg.extraPackages;
|
environment.systemPackages = [ cfg.package ] ++ cfg.extraPackages;
|
||||||
|
|
||||||
boot.kernelModules = (optional cfg.autoLoadConntrackHelpers "nf_conntrack")
|
boot.kernelModules = (optional cfg.autoLoadConntrackHelpers "nf_conntrack")
|
||||||
++ map (x: "nf_conntrack_${x}") cfg.connectionTrackingModules;
|
++ map (x: "nf_conntrack_${x}") cfg.connectionTrackingModules;
|
||||||
@ -555,7 +565,7 @@ in
|
|||||||
before = [ "network-pre.target" ];
|
before = [ "network-pre.target" ];
|
||||||
after = [ "systemd-modules-load.service" ];
|
after = [ "systemd-modules-load.service" ];
|
||||||
|
|
||||||
path = [ pkgs.iptables ] ++ cfg.extraPackages;
|
path = [ cfg.package ] ++ cfg.extraPackages;
|
||||||
|
|
||||||
# FIXME: this module may also try to load kernel modules, but
|
# FIXME: this module may also try to load kernel modules, but
|
||||||
# containers don't have CAP_SYS_MODULE. So the host system had
|
# containers don't have CAP_SYS_MODULE. So the host system had
|
||||||
|
Loading…
Reference in New Issue
Block a user