From 00d0e3ba987cd82fa823843ad53f2e80a32a8555 Mon Sep 17 00:00:00 2001 From: Felix Buehler Date: Wed, 28 Aug 2024 21:19:07 +0200 Subject: [PATCH] nixos/networking.firewall: remove `with lib;` --- .../modules/services/networking/firewall.nix | 105 +++++++++--------- 1 file changed, 51 insertions(+), 54 deletions(-) diff --git a/nixos/modules/services/networking/firewall.nix b/nixos/modules/services/networking/firewall.nix index a35cc51a3870..5021ef6f502a 100644 --- a/nixos/modules/services/networking/firewall.nix +++ b/nixos/modules/services/networking/firewall.nix @@ -1,7 +1,4 @@ { config, lib, pkgs, ... }: - -with lib; - let cfg = config.networking.firewall; @@ -10,8 +7,8 @@ let ports: lib.unique (builtins.sort builtins.lessThan ports); commonOptions = { - allowedTCPPorts = mkOption { - type = types.listOf types.port; + allowedTCPPorts = lib.mkOption { + type = lib.types.listOf lib.types.port; default = [ ]; apply = canonicalizePortList; example = [ 22 80 ]; @@ -21,8 +18,8 @@ let ''; }; - allowedTCPPortRanges = mkOption { - type = types.listOf (types.attrsOf types.port); + allowedTCPPortRanges = lib.mkOption { + type = lib.types.listOf (lib.types.attrsOf lib.types.port); default = [ ]; example = [{ from = 8999; to = 9003; }]; description = '' @@ -31,8 +28,8 @@ let ''; }; - allowedUDPPorts = mkOption { - type = types.listOf types.port; + allowedUDPPorts = lib.mkOption { + type = lib.types.listOf lib.types.port; default = [ ]; apply = canonicalizePortList; example = [ 53 ]; @@ -41,8 +38,8 @@ let ''; }; - allowedUDPPortRanges = mkOption { - type = types.listOf (types.attrsOf types.port); + allowedUDPPortRanges = lib.mkOption { + type = lib.types.listOf (lib.types.attrsOf lib.types.port); default = [ ]; example = [{ from = 60000; to = 61000; }]; description = '' @@ -58,8 +55,8 @@ in options = { networking.firewall = { - enable = mkOption { - type = types.bool; + enable = lib.mkOption { + type = lib.types.bool; default = true; description = '' Whether to enable the firewall. This is a simple stateful @@ -68,18 +65,18 @@ in ''; }; - package = mkOption { - type = types.package; + package = lib.mkOption { + type = lib.types.package; default = if config.networking.nftables.enable then pkgs.nftables else pkgs.iptables; - defaultText = literalExpression ''if config.networking.nftables.enable then "pkgs.nftables" else "pkgs.iptables"''; - example = literalExpression "pkgs.iptables-legacy"; + defaultText = lib.literalExpression ''if config.networking.nftables.enable then "pkgs.nftables" else "pkgs.iptables"''; + example = lib.literalExpression "pkgs.iptables-legacy"; description = '' The package to use for running the firewall service. ''; }; - logRefusedConnections = mkOption { - type = types.bool; + logRefusedConnections = lib.mkOption { + type = lib.types.bool; default = true; description = '' Whether to log rejected or dropped incoming connections. @@ -88,8 +85,8 @@ in ''; }; - logRefusedPackets = mkOption { - type = types.bool; + logRefusedPackets = lib.mkOption { + type = lib.types.bool; default = false; description = '' Whether to log all rejected or dropped incoming packets. @@ -100,8 +97,8 @@ in ''; }; - logRefusedUnicastsOnly = mkOption { - type = types.bool; + logRefusedUnicastsOnly = lib.mkOption { + type = lib.types.bool; default = true; description = '' If {option}`networking.firewall.logRefusedPackets` @@ -111,8 +108,8 @@ in ''; }; - rejectPackets = mkOption { - type = types.bool; + rejectPackets = lib.mkOption { + type = lib.types.bool; default = false; description = '' If set, refused packets are rejected rather than dropped @@ -123,8 +120,8 @@ in ''; }; - trustedInterfaces = mkOption { - type = types.listOf types.str; + trustedInterfaces = lib.mkOption { + type = lib.types.listOf lib.types.str; default = [ ]; example = [ "enp0s2" ]; description = '' @@ -134,8 +131,8 @@ in ''; }; - allowPing = mkOption { - type = types.bool; + allowPing = lib.mkOption { + type = lib.types.bool; default = true; description = '' Whether to respond to incoming ICMPv4 echo requests @@ -145,8 +142,8 @@ in ''; }; - pingLimit = mkOption { - type = types.nullOr (types.separatedString " "); + pingLimit = lib.mkOption { + type = lib.types.nullOr (lib.types.separatedString " "); default = null; example = "--limit 1/minute --limit-burst 5"; description = '' @@ -160,10 +157,10 @@ in ''; }; - checkReversePath = mkOption { - type = types.either types.bool (types.enum [ "strict" "loose" ]); + checkReversePath = lib.mkOption { + type = lib.types.either lib.types.bool (lib.types.enum [ "strict" "loose" ]); default = true; - defaultText = literalMD "`true` except if the iptables based firewall is in use and the kernel lacks rpfilter support"; + defaultText = lib.literalMD "`true` except if the iptables based firewall is in use and the kernel lacks rpfilter support"; example = "loose"; description = '' Performs a reverse path filter test on a packet. If a reply @@ -180,8 +177,8 @@ in ''; }; - logReversePathDrops = mkOption { - type = types.bool; + logReversePathDrops = lib.mkOption { + type = lib.types.bool; default = false; description = '' Logs dropped packets failing the reverse path filter test if @@ -189,8 +186,8 @@ in ''; }; - filterForward = mkOption { - type = types.bool; + lib.filterForward = lib.mkOption { + type = lib.types.bool; default = false; description = '' Enable filtering in IP forwarding. @@ -199,8 +196,8 @@ in ''; }; - connectionTrackingModules = mkOption { - type = types.listOf types.str; + connectionTrackingModules = lib.mkOption { + type = lib.types.listOf lib.types.str; default = [ ]; example = [ "ftp" "irc" "sane" "sip" "tftp" "amanda" "h323" "netbios_sn" "pptp" "snmp" ]; description = '' @@ -219,8 +216,8 @@ in ''; }; - autoLoadConntrackHelpers = mkOption { - type = types.bool; + autoLoadConntrackHelpers = lib.mkOption { + type = lib.types.bool; default = false; description = '' Whether to auto-load connection-tracking helpers. @@ -230,29 +227,29 @@ in ''; }; - extraPackages = mkOption { - type = types.listOf types.package; + extraPackages = lib.mkOption { + type = lib.types.listOf lib.types.package; default = [ ]; - example = literalExpression "[ pkgs.ipset ]"; + example = lib.literalExpression "[ pkgs.ipset ]"; description = '' Additional packages to be included in the environment of the system as well as the path of networking.firewall.extraCommands. ''; }; - interfaces = mkOption { + interfaces = lib.mkOption { default = { }; - type = with types; attrsOf (submodule [{ options = commonOptions; }]); + type = with lib.types; attrsOf (submodule [{ options = commonOptions; }]); description = '' Interface-specific open ports. ''; }; - allInterfaces = mkOption { + allInterfaces = lib.mkOption { internal = true; visible = false; - default = { default = mapAttrs (name: value: cfg.${name}) commonOptions; } // cfg.interfaces; - type = with types; attrsOf (submodule [{ options = commonOptions; }]); + default = { default = lib.mapAttrs (name: value: cfg.${name}) commonOptions; } // cfg.interfaces; + type = with lib.types; attrsOf (submodule [{ options = commonOptions; }]); description = '' All open ports. ''; @@ -262,11 +259,11 @@ in }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { assertions = [ { - assertion = cfg.filterForward -> config.networking.nftables.enable; + assertion = cfg.lib.filterForward -> config.networking.nftables.enable; message = "filterForward only works with the nftables based firewall"; } { @@ -279,9 +276,9 @@ in environment.systemPackages = [ cfg.package ] ++ cfg.extraPackages; - boot.kernelModules = (optional cfg.autoLoadConntrackHelpers "nf_conntrack") + boot.kernelModules = (lib.optional cfg.autoLoadConntrackHelpers "nf_conntrack") ++ map (x: "nf_conntrack_${x}") cfg.connectionTrackingModules; - boot.extraModprobeConfig = optionalString cfg.autoLoadConntrackHelpers '' + boot.extraModprobeConfig = lib.optionalString cfg.autoLoadConntrackHelpers '' options nf_conntrack nf_conntrack_helper=1 '';