Merge pull request #29125 from geistesk/firehol-3.1.4

firehol: init at 3.1.4, iprange: init at 1.0.3

nixos/modules/module-list.nix

@@ -430,6 +430,7 @@
   ./services/networking/fakeroute.nix
   ./services/networking/ferm.nix
   ./services/networking/firefox/sync-server.nix
+  ./services/networking/fireqos.nix
   ./services/networking/firewall.nix
   ./services/networking/flannel.nix
   ./services/networking/flashpolicyd.nix

nixos/modules/services/networking/fireqos.nix

@@ -0,0 +1,52 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.services.fireqos;
+  fireqosConfig = pkgs.writeText "fireqos.conf" "${cfg.config}";
+in {
+  options.services.fireqos = {
+    enable = mkOption {
+      type = types.bool;
+      default = false;
+      description = ''
+        If enabled, FireQOS will be launched with the specified
+        configuration given in `config`.
+      '';
+    };
+
+    config = mkOption {
+      type = types.str;
+      default = "";
+      example = ''
+        interface wlp3s0 world-in input rate 10mbit ethernet
+          class web commit 50kbit
+            match tcp ports 80,443
+
+        interface wlp3s0 world-out input rate 10mbit ethernet
+          class web commit 50kbit
+            match tcp ports 80,443
+      '';
+      description = ''
+        The FireQOS configuration goes here.
+      '';
+    };
+  };
+
+  config = mkIf cfg.enable {
+    systemd.services.fireqos = {
+      description = "FireQOS";
+      after = [ "network.target" ];
+      serviceConfig = {
+        Type = "oneshot";
+        RemainAfterExit = true;
+        ExecStart = "${pkgs.firehol}/bin/fireqos start ${fireqosConfig}";
+        ExecStop = [
+          "${pkgs.firehol}/bin/fireqos stop"
+          "${pkgs.firehol}/bin/fireqos clear_all_qos"
+        ];
+      };
+    };
+  };
+}

pkgs/applications/networking/firehol/default.nix

@@ -0,0 +1,79 @@
+{ stdenv, lib, fetchFromGitHub, pkgs
+, autoconf, automake, curl, iprange, iproute, ipset, iptables, iputils
+, kmod, nettools, procps, tcpdump, traceroute, utillinux, whois
+
+# Just install FireQOS without FireHOL
+, onlyQOS ? true
+}:
+
+stdenv.mkDerivation rec {
+  name = "firehol-${version}";
+  version = "3.1.4";
+
+  src = fetchFromGitHub {
+    owner = "firehol";
+    repo = "firehol";
+    rev = "v${version}";
+    sha256 = "121kjq5149r11k58lr9mkqns2k8jbdbjg2k93v8v7axhng6js7s9";
+  };
+
+  patches = [
+    # configure tries to determine if `ping6` or the newer, combined
+    # `ping` is installed by using `ping -6` which would fail.
+    (pkgs.writeText "firehol-ping6.patch"
+      ''
+      --- a/m4/ax_check_ping_ipv6.m4
+      +++ b/m4/ax_check_ping_ipv6.m4
+      @@ -42,16 +42,16 @@ AC_DEFUN([AX_CHECK_PING_IPV6],
+
+           AC_CACHE_CHECK([whether ]PING[ has working -6 option], [ac_cv_ping_6_opt],
+           [
+      -        ac_cv_ping_6_opt=no
+      -        if test -n "$PING"; then
+      -            echo "Trying '$PING -6 -c 1 ::1'" >&AS_MESSAGE_LOG_FD
+      -            $PING -6 -c 1 ::1 > conftest.out 2>&1
+      -            if test "$?" = 0; then
+      -                ac_cv_ping_6_opt=yes
+      -            fi
+      -            cat conftest.out >&AS_MESSAGE_LOG_FD
+      -            rm -f conftest.out
+      -        fi
+      +        ac_cv_ping_6_opt=yes
+      +        #if test -n "$PING"; then
+      +        #    echo "Trying '$PING -6 -c 1 ::1'" >&AS_MESSAGE_LOG_FD
+      +        #    $PING -6 -c 1 ::1 > conftest.out 2>&1
+      +        #    if test "$?" = 0; then
+      +        #        ac_cv_ping_6_opt=yes
+      +        #    fi
+      +        #    cat conftest.out >&AS_MESSAGE_LOG_FD
+      +        #    rm -f conftest.out
+      +        #fi
+           ])
+
+           AS_IF([test "x$ac_cv_ping_6_opt" = "xyes"],[
+      '')
+  ];
+  
+  nativeBuildInputs = [ autoconf automake ];
+  buildInputs = [
+    curl iprange iproute ipset iptables iputils kmod
+    nettools procps tcpdump traceroute utillinux whois
+  ];
+
+  preConfigure = "./autogen.sh";
+  configureFlags = [ "--localstatedir=/var"
+                     "--disable-doc" "--disable-man" ] ++
+                   lib.optional onlyQOS [ "--disable-firehol" ];
+
+  meta = with stdenv.lib; {
+    description = "A firewall for humans";
+    longDescription = ''
+      FireHOL, an iptables stateful packet filtering firewall for humans!
+      FireQOS, a TC based bandwidth shaper for humans!
+    '';
+    homepage = http://firehol.org/;
+    license = licenses.gpl2;
+    maintainers = with maintainers; [ geistesk ];
+    platforms = platforms.linux;
+  };
+}

pkgs/applications/networking/firehol/iprange.nix

@@ -0,0 +1,18 @@
+{ stdenv, fetchurl }:
+
+stdenv.mkDerivation rec {
+  name = "iprange-${version}";
+  version = "1.0.3";
+
+  src = fetchurl {
+    url = "https://github.com/firehol/iprange/releases/download/v${version}/iprange-${version}.tar.xz";
+    sha256 = "0lwgl5ybrhsv43llq3kgdjpvgyfl43f3nxm0g8a8cd7zmn754bg2";
+  };
+
+  meta = with stdenv.lib; {
+    description = "manage IP ranges";
+    homepage = https://github.com/firehol/iprange;
+    license = licenses.gpl2;
+    maintainers = with maintainers; [ geistesk ];
+  };
+}

pkgs/top-level/all-packages.nix

@@ -1984,6 +1984,10 @@ with pkgs;
 
   finger_bsd = callPackage ../tools/networking/bsd-finger { };
 
+  iprange = callPackage ../applications/networking/firehol/iprange.nix {};
+
+  firehol = callPackage ../applications/networking/firehol {};
+
   fio = callPackage ../tools/system/fio { };
 
   flamerobin = callPackage ../applications/misc/flamerobin { };