colin/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #285813 from jerrita/nft-precheck-flatten

Browse Source 
nixos/nftables: add option for flattening rulesetFile
This commit is contained in:
Lin Jian 2024-02-11 10:41:17 +08:00 committed by GitHub
commit f3a93440fb
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 20 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
nixos/modules/services/networking/nftables.nix
View File

@ -185,6 +185,19 @@ in
can be loaded using "nft -f". The ruleset is updated atomically.
'';
};
networking.nftables.flattenRulesetFile = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc ''
Use `builtins.readFile` rather than `include` to handle {option}`networking.nftables.rulesetFile`. It is useful when you want to apply {option}`networking.nftables.preCheckRuleset` to {option}`networking.nftables.rulesetFile`.
::: {.note}
It is expected that {option}`networking.nftables.rulesetFile` can be accessed from the build sandbox.
:::
'';
};
networking.nftables.tables = mkOption {
type = types.attrsOf (types.submodule tableSubmodule);
@ -295,9 +308,13 @@ in
}
'') enabledTables)}
${cfg.ruleset}
${lib.optionalString (cfg.rulesetFile != null) ''
include "${cfg.rulesetFile}"
''}
${if cfg.rulesetFile != null then
if cfg.flattenRulesetFile then
builtins.readFile cfg.rulesetFile
else ''
include "${cfg.rulesetFile}"
''
else ""}
'';
checkPhase = lib.optionalString cfg.checkRuleset ''
cp $out ruleset.conf