commit ca6ed1cc8d4771d5d115d16b9f67157c658e36d8 · pyrox.dev/nixpkgs

+21 -1
nixos/modules/services/networking/nftables.nix
···

       70
       70
        
             '';

     

       71
       71
        
           };

     

       72
       72
        
       

     

       73
       73
       +
           networking.nftables.checkRulesetRedirects = mkOption {

     

       74
       74
       +
             type = types.addCheck (types.attrsOf types.path) (attrs: all types.path.check (attrNames attrs));

     

       75
       75
       +
             default = {

     

       76
       76
       +
               "/etc/hosts" = config.environment.etc.hosts.source;

     

       77
       77
       +
               "/etc/protocols" = config.environment.etc.protocols.source;

     

       78
       78
       +
               "/etc/services" = config.environment.etc.services.source;

     

       79
       79
       +
             };

     

       80
       80
       +
             defaultText = literalExpression ''

     

       81
       81
       +
               {

     

       82
       82
       +
                 "/etc/hosts" = config.environment.etc.hosts.source;

     

       83
       83
       +
                 "/etc/protocols" = config.environment.etc.protocols.source;

     

       84
       84
       +
                 "/etc/services" = config.environment.etc.services.source;

     

       85
       85
       +
               }

     

       86
       86
       +
             '';

     

       87
       87
       +
             description = mdDoc ''

     

       88
       88
       +
               Set of paths that should be intercepted and rewritten while checking the ruleset

     

       89
       89
       +
               using `pkgs.buildPackages.libredirect`.

     

       90
       90
       +
             '';

     

       91
       91
       +
           };

     

       92
       92
       +
       

     

       73
       93
        
           networking.nftables.preCheckRuleset = mkOption {

     

       74
       94
        
             type = types.lines;

     

       75
       95
        
             default = "";

     
···

       282
       302
        
                   cp $out ruleset.conf

     

       283
       303
        
                   sed 's|include "${deletionsScriptVar}"||' -i ruleset.conf

     

       284
       304
        
                   ${cfg.preCheckRuleset}

     

       285
       285
       -
                   export NIX_REDIRECTS=/etc/protocols=${pkgs.buildPackages.iana-etc}/etc/protocols:/etc/services=${pkgs.buildPackages.iana-etc}/etc/services

     

       305
       305
       +
                   export NIX_REDIRECTS=${escapeShellArg (concatStringsSep ":" (mapAttrsToList (n: v: "${n}=${v}") cfg.checkRulesetRedirects))}

     

       286
       306
        
                   LD_PRELOAD="${pkgs.buildPackages.libredirect}/lib/libredirect.so ${pkgs.buildPackages.lklWithFirewall.lib}/lib/liblkl-hijack.so" \

     

       287
       307
        
                     ${pkgs.buildPackages.nftables}/bin/nft --check --file ruleset.conf

     

       288
       308
        
                 '';