load necessary kernel modules for firewall
This commit is contained in:
parent
89693af82b
commit
6101f3f3d8
5 changed files with 80 additions and 2 deletions
|
@ -227,10 +227,32 @@ in rec {
|
|||
};
|
||||
|
||||
services.firewall =
|
||||
let config = pkgs.firewallgen "firewall.nft" (import ./rotuer-firewall.nix);
|
||||
let
|
||||
script= pkgs.firewallgen "firewall.nft" (import ./rotuer-firewall.nix);
|
||||
kmodules = pkgs.kernel-modules.override {
|
||||
kernelSrc = config.outputs.kernel.src;
|
||||
modulesoupport = config.outputs.kernel.modulesupport;
|
||||
kconfig = {
|
||||
NFT_FIB_IPV4 = "m";
|
||||
NFT_FIB_IPV6 = "m";
|
||||
NF_TABLES = "m";
|
||||
NF_CT_PROTO_DCCP = "y";
|
||||
NF_CT_PROTO_SCTP = "y";
|
||||
NF_CT_PROTO_UDPLITE = "y";
|
||||
# NF_CONNTRACK_FTP = "m";
|
||||
NFT_CT = "m";
|
||||
};
|
||||
targets = [
|
||||
"nft_fib_ipv4"
|
||||
"nft_fib_ipv6"
|
||||
];
|
||||
};
|
||||
in oneshot {
|
||||
name = "firewall";
|
||||
up = config;
|
||||
up = ''
|
||||
sh ${kmodules}/load.sh
|
||||
${script};
|
||||
'';
|
||||
down = "${pkgs.nftables}/bin/nft flush ruleset";
|
||||
};
|
||||
|
||||
|
|
|
@ -54,4 +54,5 @@
|
|||
min-copy-closure = callPackage ./min-copy-closure {};
|
||||
hi = callPackage ./hi {};
|
||||
firewallgen = callPackage ./firewallgen {};
|
||||
kernel-modules = callPackage ./kernel-modules {};
|
||||
}
|
||||
|
|
3
pkgs/kernel-modules/Makefile
Normal file
3
pkgs/kernel-modules/Makefile
Normal file
|
@ -0,0 +1,3 @@
|
|||
|
||||
|
||||
# obj-m += net/ipv4/netfilter/nft_fib_ipv4.o
|
50
pkgs/kernel-modules/default.nix
Normal file
50
pkgs/kernel-modules/default.nix
Normal file
|
@ -0,0 +1,50 @@
|
|||
{
|
||||
stdenv
|
||||
, buildPackages
|
||||
, kernelSrc ? null
|
||||
, modulesupport ? null
|
||||
, targets ? []
|
||||
, kconfig ? {}
|
||||
, openssl
|
||||
, writeText
|
||||
, lib
|
||||
}:
|
||||
let
|
||||
writeConfig = import ../kernel/write-kconfig.nix { inherit lib writeText; };
|
||||
in stdenv.mkDerivation {
|
||||
name = "kernel-modules";
|
||||
|
||||
nativeBuildInputs = [buildPackages.stdenv.cc] ++
|
||||
(with buildPackages.pkgs; [
|
||||
bc bison flex
|
||||
openssl
|
||||
cpio
|
||||
kmod
|
||||
]);
|
||||
CC = "${stdenv.cc.bintools.targetPrefix}gcc";
|
||||
HOST_EXTRACFLAGS = with buildPackages.pkgs;
|
||||
"-I${buildPackages.openssl.dev}/include -L${buildPackages.openssl.out}/lib";
|
||||
CROSS_COMPILE = stdenv.cc.bintools.targetPrefix;
|
||||
ARCH = "mips"; # kernel uses "mips" here for both mips and mipsel
|
||||
KBUILD_BUILD_HOST = "liminix.builder";
|
||||
|
||||
buildPhase = ''
|
||||
cat ${writeConfig "kconfig" kconfig} > .more-config
|
||||
cat .more-config >> .config
|
||||
make olddefconfig
|
||||
for v in $(cat .more-config) ; do grep $v .config || (echo Missing $v && exit 1);done
|
||||
# grep =m .config
|
||||
make modules
|
||||
'';
|
||||
src = modulesupport;
|
||||
installPhase = ''
|
||||
mkdir -p $out/lib/modules/0.0
|
||||
find . -name \*.ko | cpio --verbose --make-directories -p $out/lib/modules/0.0
|
||||
depmod -b $out -v 0.0
|
||||
touch $out/load.sh
|
||||
for i in ${lib.concatStringsSep " " targets}; do
|
||||
modprobe -S 0.0 -d $out --show-depends $i >> $out/load.sh
|
||||
done
|
||||
tac < $out/load.sh | sed 's/^insmod/rmmod/g' > $out/unload.sh
|
||||
'';
|
||||
}
|
|
@ -96,6 +96,8 @@ stdenv.mkDerivation rec {
|
|||
cp vmlinux $out
|
||||
mkdir -p $headers
|
||||
cp -a include .config $headers/
|
||||
mkdir -p $modulesupport
|
||||
cp modules.* $modulesupport
|
||||
make clean modules_prepare
|
||||
cp -a . $modulesupport
|
||||
'';
|
||||
|
|
Loading…
Reference in a new issue