colin/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #241680 from 4z3/networking.nftables.checkRulesetRedirects

Browse Source
This commit is contained in:
Maciej Krüger 2023-09-04 22:07:50 +02:00 committed by GitHub
commit ca6ed1cc8d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 21 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
nixos/modules/services/networking/nftables.nix
View File

@ -70,6 +70,26 @@ in
'';
};
networking.nftables.checkRulesetRedirects = mkOption {
type = types.addCheck (types.attrsOf types.path) (attrs: all types.path.check (attrNames attrs));
default = {
"/etc/hosts" = config.environment.etc.hosts.source;
"/etc/protocols" = config.environment.etc.protocols.source;
"/etc/services" = config.environment.etc.services.source;
};
defaultText = literalExpression ''
{
"/etc/hosts" = config.environment.etc.hosts.source;
"/etc/protocols" = config.environment.etc.protocols.source;
"/etc/services" = config.environment.etc.services.source;
}
'';
description = mdDoc ''
Set of paths that should be intercepted and rewritten while checking the ruleset
using `pkgs.buildPackages.libredirect`.
'';
};
networking.nftables.preCheckRuleset = mkOption {
type = types.lines;
default = "";
@ -282,7 +302,7 @@ in
cp $out ruleset.conf
sed 's|include "${deletionsScriptVar}"||' -i ruleset.conf
${cfg.preCheckRuleset}
export NIX_REDIRECTS=/etc/protocols=${pkgs.buildPackages.iana-etc}/etc/protocols:/etc/services=${pkgs.buildPackages.iana-etc}/etc/services
export NIX_REDIRECTS=${escapeShellArg (concatStringsSep ":" (mapAttrsToList (n: v: "${n}=${v}") cfg.checkRulesetRedirects))}
LD_PRELOAD="${pkgs.buildPackages.libredirect}/lib/libredirect.so ${pkgs.buildPackages.lklWithFirewall.lib}/lib/liblkl-hijack.so" \
${pkgs.buildPackages.nftables}/bin/nft --check --file ruleset.conf
'';