summaryrefslogtreecommitdiffstats
path: root/3modules/lass/iptables.nix
diff options
context:
space:
mode:
Diffstat (limited to '3modules/lass/iptables.nix')
-rw-r--r--3modules/lass/iptables.nix65
1 files changed, 43 insertions, 22 deletions
diff --git a/3modules/lass/iptables.nix b/3modules/lass/iptables.nix
index 6d567ca..c97b9f7 100644
--- a/3modules/lass/iptables.nix
+++ b/3modules/lass/iptables.nix
@@ -2,7 +2,28 @@ arg@{ config, lib, pkgs, ... }:
let
inherit (pkgs) writeScript writeText;
- inherit (lib) concatMapStringsSep concatStringsSep attrNames unique fold any attrValues catAttrs filter flatten length hasAttr mkEnableOption mkOption mkIf types;
+
+ inherit (lib)
+ concatMapStringsSep
+ concatStringsSep
+ attrNames
+ unique
+ fold
+ any
+ attrValues
+ catAttrs
+ filter
+ flatten
+ length
+ hasAttr
+ mkEnableOption
+ mkOption
+ mkIf
+ types
+ sort;
+
+ elemIsIn = a: as:
+ any (x: x == a) as;
cfg = config.lass.iptables;
@@ -74,38 +95,38 @@ let
};
};
- #buildTable :: iptablesAttrSet` -> str
+ #buildTable :: iptablesVersion -> iptablesAttrSet` -> str
#todo: differentiate by iptables-version
- buildTables = iptv: ts:
+ buildTables = v: ts:
let
+
declareChain = t: cn:
#TODO: find out what to do whit these count numbers
":${cn} ${t."${cn}".policy} [0:0]";
buildChain = tn: cn:
- #"${concatStringsSep " " ((attrNames t."${cn}") ++ [cn])}";
-
- #TODO: sort by precedence
- #TODO: double check should be unneccessary, refactor!
- if (hasAttr "rules" ts."${tn}"."${cn}") then
- if (ts."${tn}"."${cn}".rules == null) then
- ""
+ let
+ sortedRules = sort (a: b: a.precedence < b.precedence) ts."${tn}"."${cn}".rules;
+
+ in
+ #TODO: double check should be unneccessary, refactor!
+ if (hasAttr "rules" ts."${tn}"."${cn}") then
+ if (ts."${tn}"."${cn}".rules == null) then
+ ""
+ else
+ concatMapStringsSep "\n" (rule: "\n-A ${cn} ${rule}") ([]
+ ++ map (buildRule tn cn) sortedRules
+ )
else
- concatMapStringsSep "\n" (rule: "\n-A ${cn} ${rule}") ([]
- ++ map buildRule ts."${tn}"."${cn}".rules
- )
- else
- ""
- ;
+ ""
+ ;
- buildRule = rule:
- #TODO implement rule validation-test here
- #
- #target:
- #target needs to be an existing chain (in the same table) or ACCEPT, REJECT, DROP, LOG, QUEUE, RETURN
+ buildRule = tn: cn: rule:
+ #target validation test:
+ assert (elemIsIn rule.target ([ "ACCEPT" "REJECT" "DROP" "QUEUE" "LOG" "RETURN" ] ++ (attrNames ts."${tn}")));
- #predicate:
+ #predicate validation test:
#maybe use iptables-test
#TODO: howto exit with evaluation error by shellscript?
#apperantly not possible from nix because evalatution wouldn't be deterministic.