Author: eelco
Date: Fri Mar 11 13:04:17 2011
New Revision: 26274
URL: https://svn.nixos.org/websvn/nix/?rev=26274&sc=1
Log:
* Firewall: add an option to allow extra firewall rules to be added.
* Firewall: change the policy of the INPUT chain back to ACCEPT to
prevent a lockup when the Nix store is mounted over the network
(i.e. in our VM tests). This is because as soon as the policy is
set to DROP, the iptables modules that enable access to the network
filesystem cannot be acccessed anymore.
Modified:
nixos/trunk/modules/services/networking/firewall.nix
Modified: nixos/trunk/modules/services/networking/firewall.nix
==============================================================================
--- nixos/trunk/modules/services/networking/firewall.nix Fri Mar 11
12:56:04 2011 (r26273)
+++ nixos/trunk/modules/services/networking/firewall.nix Fri Mar 11
13:04:17 2011 (r26274)
@@ -89,6 +89,18 @@
'';
};
+ networking.firewall.extraCommands = mkOption {
+ default = "";
+ example = "iptables -A INPUT -p icmp -j ACCEPT";
+ description =
+ ''
+ Additional shell commands executed as part of the firewall
+ initialisation script. These are executed just before the
+ final "reject" firewall rule is added, so they can be used
+ to allow packets that would otherwise be refused.
+ '';
+ };
+
};
@@ -119,7 +131,7 @@
ip46tables -F INPUT
ip46tables -F FW_REFUSE || true
ip46tables -X # flush unused chains
- ip46tables -P INPUT DROP
+ ip46tables -P INPUT ACCEPT
# The "FW_REFUSE" chain performs logging and
@@ -174,6 +186,8 @@
ip6tables -A INPUT -p icmpv6 --icmpv6-type 139 -j DROP
ip6tables -A INPUT -p icmpv6 -j ACCEPT
+ ${cfg.extraCommands}
+
# Reject/drop everything else.
ip46tables -A INPUT -j FW_REFUSE
'';
_______________________________________________
nix-commits mailing list
[email protected]
http://mail.cs.uu.nl/mailman/listinfo/nix-commits
