tjh.dev
1{
2 stdenv,
3 lib,
4 fetchFromGitHub,
5 autoconf,
6 automake,
7 curl,
8 iprange,
9 iproute2,
10 iptables,
11 iputils,
12 kmod,
13 net-tools,
14 procps,
15 tcpdump,
16 traceroute,
17 util-linux,
18 whois,
19
20 # If true, just install FireQOS without FireHOL
21 onlyQOS ? false,
22}:
23
24stdenv.mkDerivation rec {
25 pname = "firehol";
26 version = "3.1.8";
27
28 src = fetchFromGitHub {
29 owner = "firehol";
30 repo = "firehol";
31 rev = "v${version}";
32 sha256 = "sha256-6O3AoQs7Qzcin8VXQgJfCVsNOI74H6fE1DgqdY+e4bA=";
33 };
34
35 patches = [
36 # configure tries to determine if `ping6` or the newer, combined
37 # `ping` is installed by using `ping -6` which would fail.
38 ./firehol-ping6.patch
39
40 # put firehol config files in /etc/firehol (not $out/etc/firehol)
41 # to avoid error on startup, see #35114
42 ./firehol-sysconfdir.patch
43
44 # we must quote "$UNAME_CMD", or the dash in
45 # /nix/store/...-coreutils-.../bin/uname will be interpreted as
46 # IFS -> error. this might be considered an upstream bug but only
47 # appears when there are dashes in the command path
48 ./firehol-uname-command.patch
49 ];
50
51 nativeBuildInputs = [
52 autoconf
53 automake
54 ];
55 buildInputs = [
56 curl
57 iprange
58 iproute2
59 iptables
60 iputils
61 kmod
62 net-tools
63 procps
64 tcpdump
65 traceroute
66 util-linux
67 whois
68 ];
69
70 preConfigure = "./autogen.sh";
71 configureFlags = [
72 "--localstatedir=/var"
73 "--disable-doc"
74 "--disable-man"
75 "--disable-update-ipsets"
76 ]
77 ++ lib.optionals onlyQOS [ "--disable-firehol" ];
78
79 meta = with lib; {
80 description = "Firewall for humans";
81 longDescription = ''
82 FireHOL, an iptables stateful packet filtering firewall for humans!
83 FireQOS, a TC based bandwidth shaper for humans!
84 '';
85 homepage = "https://firehol.org/";
86 license = licenses.gpl2;
87 maintainers = with maintainers; [ oxzi ];
88 platforms = platforms.linux;
89 };
90}