Author: eelco
Date: Wed Mar 9 12:28:44 2011
New Revision: 26228
URL: https://svn.nixos.org/websvn/nix/?rev=26228&sc=1
Log:
* Cleanup.
Modified:
nixos/trunk/modules/services/networking/firewall.nix
nixos/trunk/modules/tasks/network-interfaces.nix
Modified: nixos/trunk/modules/services/networking/firewall.nix
==============================================================================
--- nixos/trunk/modules/services/networking/firewall.nix Wed Mar 9
12:14:06 2011 (r26227)
+++ nixos/trunk/modules/services/networking/firewall.nix Wed Mar 9
12:28:44 2011 (r26228)
@@ -4,8 +4,6 @@
let
- iptables = "${pkgs.iptables}/sbin/iptables";
-
cfg = config.networking.firewall;
in
@@ -76,47 +74,49 @@
# holds).
config = mkIf config.networking.firewall.enable {
- environment.systemPackages = [pkgs.iptables];
+ environment.systemPackages = [ pkgs.iptables ];
jobs.firewall =
{ startOn = "started network-interfaces";
+ path = [ pkgs.iptables ];
+
preStart =
''
- ${iptables} -F
+ iptables -F
# Accept all traffic on the loopback interface.
- ${iptables} -A INPUT -i lo -j ACCEPT
+ iptables -A INPUT -i lo -j ACCEPT
# Accept packets from established or related connections.
- ${iptables} -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j
ACCEPT
+ iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j
ACCEPT
# Accept connections to the allowed TCP ports.
${concatMapStrings (port:
''
- ${iptables} -A INPUT -p tcp --dport ${toString port} -j
ACCEPT
+ iptables -A INPUT -p tcp --dport ${toString port} -j ACCEPT
''
) config.networking.firewall.allowedTCPPorts
}
# Accept multicast. Not a big security risk since
# probably nobody is listening anyway.
- ${iptables} -A INPUT -d 224.0.0.0/4 -j ACCEPT
+ iptables -A INPUT -d 224.0.0.0/4 -j ACCEPT
# Drop everything else.
${optionalString cfg.logRefusedConnections ''
- ${iptables} -A INPUT -p tcp --syn -j LOG --log-level info
--log-prefix "rejected connection: "
+ iptables -A INPUT -p tcp --syn -j LOG --log-level info
--log-prefix "rejected connection: "
''}
${optionalString cfg.logRefusedPackets ''
- ${iptables} -A INPUT -j LOG --log-level info --log-prefix
"rejected packet: "
+ iptables -A INPUT -j LOG --log-level info --log-prefix "rejected
packet: "
''}
- ${iptables} -A INPUT -j ${if cfg.rejectPackets then "REJECT" else
"DROP"}
+ iptables -A INPUT -j ${if cfg.rejectPackets then "REJECT" else
"DROP"}
'';
postStop =
''
- ${iptables} -F
- '';
+ iptables -F
+ '';
};
};
Modified: nixos/trunk/modules/tasks/network-interfaces.nix
==============================================================================
--- nixos/trunk/modules/tasks/network-interfaces.nix Wed Mar 9 12:14:06
2011 (r26227)
+++ nixos/trunk/modules/tasks/network-interfaces.nix Wed Mar 9 12:28:44
2011 (r26228)
@@ -162,9 +162,10 @@
startOn = "stopped udevtrigger";
+ path = [ config.system.sbin.modprobe pkgs.iproute ];
+
preStart =
''
- export
PATH=${config.system.sbin.modprobe}/sbin:${pkgs.iproute}/sbin:$PATH
modprobe af_packet || true
${pkgs.lib.concatMapStrings (i:
_______________________________________________
nix-commits mailing list
[email protected]
http://mail.cs.uu.nl/mailman/listinfo/nix-commits
