load necessary kernel modules for firewall
This commit is contained in:
parent
89693af82b
commit
6101f3f3d8
5 changed files with 80 additions and 2 deletions
|
@ -227,10 +227,32 @@ in rec {
|
||||||
};
|
};
|
||||||
|
|
||||||
services.firewall =
|
services.firewall =
|
||||||
let config = pkgs.firewallgen "firewall.nft" (import ./rotuer-firewall.nix);
|
let
|
||||||
|
script= pkgs.firewallgen "firewall.nft" (import ./rotuer-firewall.nix);
|
||||||
|
kmodules = pkgs.kernel-modules.override {
|
||||||
|
kernelSrc = config.outputs.kernel.src;
|
||||||
|
modulesoupport = config.outputs.kernel.modulesupport;
|
||||||
|
kconfig = {
|
||||||
|
NFT_FIB_IPV4 = "m";
|
||||||
|
NFT_FIB_IPV6 = "m";
|
||||||
|
NF_TABLES = "m";
|
||||||
|
NF_CT_PROTO_DCCP = "y";
|
||||||
|
NF_CT_PROTO_SCTP = "y";
|
||||||
|
NF_CT_PROTO_UDPLITE = "y";
|
||||||
|
# NF_CONNTRACK_FTP = "m";
|
||||||
|
NFT_CT = "m";
|
||||||
|
};
|
||||||
|
targets = [
|
||||||
|
"nft_fib_ipv4"
|
||||||
|
"nft_fib_ipv6"
|
||||||
|
];
|
||||||
|
};
|
||||||
in oneshot {
|
in oneshot {
|
||||||
name = "firewall";
|
name = "firewall";
|
||||||
up = config;
|
up = ''
|
||||||
|
sh ${kmodules}/load.sh
|
||||||
|
${script};
|
||||||
|
'';
|
||||||
down = "${pkgs.nftables}/bin/nft flush ruleset";
|
down = "${pkgs.nftables}/bin/nft flush ruleset";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -54,4 +54,5 @@
|
||||||
min-copy-closure = callPackage ./min-copy-closure {};
|
min-copy-closure = callPackage ./min-copy-closure {};
|
||||||
hi = callPackage ./hi {};
|
hi = callPackage ./hi {};
|
||||||
firewallgen = callPackage ./firewallgen {};
|
firewallgen = callPackage ./firewallgen {};
|
||||||
|
kernel-modules = callPackage ./kernel-modules {};
|
||||||
}
|
}
|
||||||
|
|
3
pkgs/kernel-modules/Makefile
Normal file
3
pkgs/kernel-modules/Makefile
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
|
||||||
|
|
||||||
|
# obj-m += net/ipv4/netfilter/nft_fib_ipv4.o
|
50
pkgs/kernel-modules/default.nix
Normal file
50
pkgs/kernel-modules/default.nix
Normal file
|
@ -0,0 +1,50 @@
|
||||||
|
{
|
||||||
|
stdenv
|
||||||
|
, buildPackages
|
||||||
|
, kernelSrc ? null
|
||||||
|
, modulesupport ? null
|
||||||
|
, targets ? []
|
||||||
|
, kconfig ? {}
|
||||||
|
, openssl
|
||||||
|
, writeText
|
||||||
|
, lib
|
||||||
|
}:
|
||||||
|
let
|
||||||
|
writeConfig = import ../kernel/write-kconfig.nix { inherit lib writeText; };
|
||||||
|
in stdenv.mkDerivation {
|
||||||
|
name = "kernel-modules";
|
||||||
|
|
||||||
|
nativeBuildInputs = [buildPackages.stdenv.cc] ++
|
||||||
|
(with buildPackages.pkgs; [
|
||||||
|
bc bison flex
|
||||||
|
openssl
|
||||||
|
cpio
|
||||||
|
kmod
|
||||||
|
]);
|
||||||
|
CC = "${stdenv.cc.bintools.targetPrefix}gcc";
|
||||||
|
HOST_EXTRACFLAGS = with buildPackages.pkgs;
|
||||||
|
"-I${buildPackages.openssl.dev}/include -L${buildPackages.openssl.out}/lib";
|
||||||
|
CROSS_COMPILE = stdenv.cc.bintools.targetPrefix;
|
||||||
|
ARCH = "mips"; # kernel uses "mips" here for both mips and mipsel
|
||||||
|
KBUILD_BUILD_HOST = "liminix.builder";
|
||||||
|
|
||||||
|
buildPhase = ''
|
||||||
|
cat ${writeConfig "kconfig" kconfig} > .more-config
|
||||||
|
cat .more-config >> .config
|
||||||
|
make olddefconfig
|
||||||
|
for v in $(cat .more-config) ; do grep $v .config || (echo Missing $v && exit 1);done
|
||||||
|
# grep =m .config
|
||||||
|
make modules
|
||||||
|
'';
|
||||||
|
src = modulesupport;
|
||||||
|
installPhase = ''
|
||||||
|
mkdir -p $out/lib/modules/0.0
|
||||||
|
find . -name \*.ko | cpio --verbose --make-directories -p $out/lib/modules/0.0
|
||||||
|
depmod -b $out -v 0.0
|
||||||
|
touch $out/load.sh
|
||||||
|
for i in ${lib.concatStringsSep " " targets}; do
|
||||||
|
modprobe -S 0.0 -d $out --show-depends $i >> $out/load.sh
|
||||||
|
done
|
||||||
|
tac < $out/load.sh | sed 's/^insmod/rmmod/g' > $out/unload.sh
|
||||||
|
'';
|
||||||
|
}
|
|
@ -96,6 +96,8 @@ stdenv.mkDerivation rec {
|
||||||
cp vmlinux $out
|
cp vmlinux $out
|
||||||
mkdir -p $headers
|
mkdir -p $headers
|
||||||
cp -a include .config $headers/
|
cp -a include .config $headers/
|
||||||
|
mkdir -p $modulesupport
|
||||||
|
cp modules.* $modulesupport
|
||||||
make clean modules_prepare
|
make clean modules_prepare
|
||||||
cp -a . $modulesupport
|
cp -a . $modulesupport
|
||||||
'';
|
'';
|
||||||
|
|
Loading…
Reference in a new issue