commit 8d10928ad0913936ca844293cacc3c9af67d419a

pyrox.dev / nixpkgs

lol

fork atom

Merge pull request #17908 from Mic92/ferm

Ferm

authored by

Graham Christensen and committed by

GitHub 9 years ago 8d10928a c011aa86

+105

5 changed files

expand all

unified split

lib

maintainers.nix

nixos

modules

module-list.nix

services

networking

ferm.nix

pkgs

tools

networking

ferm

default.nix

top-level

all-packages.nix

lib/maintainers.nix

··· 249 249 mcmtroffaes = "Matthias C. M. Troffaes <matthias.troffaes@gmail.com>"; 250 250 meditans = "Carlo Nucera <meditans@gmail.com>"; 251 251 meisternu = "Matt Miemiec <meister@krutt.org>"; 252 + mic92 = "Jörg Thalheim <joerg@higgsboson.tk>"; 252 253 michaelpj = "Michael Peyton Jones <michaelpj@gmail.com>"; 253 254 michalrus = "Michal Rus <m@michalrus.com>"; 254 255 michelk = "Michel Kuhlmann <michel@kuhlmanns.info>";

nixos/modules/module-list.nix

··· 335 335 ./services/networking/docker-registry-server.nix 336 336 ./services/networking/ejabberd.nix 337 337 ./services/networking/fan.nix 338 + ./services/networking/ferm.nix 338 339 ./services/networking/firefox/sync-server.nix 339 340 ./services/networking/firewall.nix 340 341 ./services/networking/flashpolicyd.nix

+63

nixos/modules/services/networking/ferm.nix

··· 1 + { config, lib, pkgs, ... }: 2 + 3 + with lib; 4 + 5 + let 6 + cfg = config.services.ferm; 7 + 8 + configFile = pkgs.stdenv.mkDerivation { 9 + name = "ferm.conf"; 10 + text = cfg.config; 11 + preferLocalBuild = true; 12 + buildCommand = '' 13 + echo -n "$text" > $out 14 + ${cfg.package}/bin/ferm --noexec $out 15 + ''; 16 + }; 17 + in { 18 + options = { 19 + services.ferm = { 20 + enable = mkOption { 21 + default = false; 22 + example = true; 23 + type = types.bool; 24 + description = '' 25 + Whether to enable Ferm Firewall. 26 + *Warning*: Enabling this service WILL disable the existing NixOS 27 + firewall! Default firewall rules provided by packages are not 28 + considered at the moment. 29 + ''; 30 + }; 31 + config = mkOption { 32 + description = "Verbatim ferm.conf configuration."; 33 + default = ""; 34 + defaultText = "empty firewall, allows any traffic"; 35 + type = types.lines; 36 + }; 37 + package = mkOption { 38 + description = "The ferm package."; 39 + type = types.package; 40 + default = pkgs.ferm; 41 + defaultText = "pkgs.ferm"; 42 + }; 43 + }; 44 + }; 45 + 46 + config = mkIf cfg.enable { 47 + systemd.services.firewall.enable = false; 48 + systemd.services.ferm = { 49 + description = "Ferm Firewall"; 50 + after = [ "ipset.target" ]; 51 + before = [ "network-pre.target" ]; 52 + wants = [ "network-pre.target" ]; 53 + wantedBy = [ "multi-user.target" ]; 54 + serviceConfig = { 55 + Type="oneshot"; 56 + RemainAfterExit = "yes"; 57 + ExecStart = "${cfg.package}/bin/ferm ${configFile}"; 58 + ExecReload = "${cfg.package}/bin/ferm ${configFile}"; 59 + ExecStop = "${cfg.package}/bin/ferm -F ${configFile}"; 60 + }; 61 + }; 62 + }; 63 + }

+38

pkgs/tools/networking/ferm/default.nix

··· 1 + { stdenv, fetchurl, makeWrapper, perl, ebtables, ipset, iptables }: 2 + 3 + stdenv.mkDerivation rec { 4 + version = "2.3"; 5 + name = "ferm-${version}"; 6 + 7 + src = fetchurl { 8 + url = "http://ferm.foo-projects.org/download/${version}/ferm-${version}.tar.gz"; 9 + sha256 = "0jx63fhjw5y1ahgdbn4hgd7sq6clxl80dr8a2hkryibfbwz3vs4x"; 10 + }; 11 + 12 + buildInputs = [ perl ipset ebtables iptables makeWrapper ]; 13 + preConfigure = '' 14 + substituteInPlace config.mk --replace "PERL = /usr/bin/perl" "PERL = ${perl}/bin/perl" 15 + substituteInPlace config.mk --replace "PREFIX = /usr" "PREFIX = $out" 16 + ''; 17 + postInstall = '' 18 + rm -r $out/lib/systemd 19 + for i in "$out/sbin/"*; do 20 + wrapProgram "$i" --prefix PATH : "${iptables}/bin:${ipset}/bin:${ebtables}/bin" 21 + done 22 + ''; 23 + 24 + meta = { 25 + homepage = http://ferm.foo-projects.org/; 26 + description = "Tool to maintain complex firewalls"; 27 + longDescription = '' 28 + ferm is a tool to maintain complex firewalls, without having the trouble to 29 + rewrite the complex rules over and over again. ferm allows the entire 30 + firewall rule set to be stored in a separate file, and to be loaded with one 31 + command. The firewall configuration resembles structured programming-like 32 + language, which can contain levels and lists. 33 + ''; 34 + license = stdenv.lib.licenses.gpl2; 35 + maintainers = with stdenv.lib.maintainers; [mic92]; 36 + platforms = stdenv.lib.platforms.linux; 37 + }; 38 + }

pkgs/top-level/all-packages.nix

··· 1556 1556 1557 1557 fdm = callPackage ../tools/networking/fdm {}; 1558 1558 1559 + ferm = callPackage ../tools/networking/ferm { }; 1560 + 1559 1561 fgallery = callPackage ../tools/graphics/fgallery { 1560 1562 inherit (perlPackages) ImageExifTool JSON; 1561 1563 };