load necessary kernel modules for firewall

2023-06-27 21:17:04 +01:00 · 2023-06-27 21:17:04 +01:00 · 6101f3f3d8
commit 6101f3f3d8
parent 89693af82b
5 changed files with 80 additions and 2 deletions
--- a/examples/rotuer.nix
+++ b/examples/rotuer.nix
@ -227,10 +227,32 @@ in rec {
  };

  services.firewall =
-    let config = pkgs.firewallgen "firewall.nft" (import ./rotuer-firewall.nix);
+    let
+      script= pkgs.firewallgen "firewall.nft" (import ./rotuer-firewall.nix);
+      kmodules = pkgs.kernel-modules.override {
+        kernelSrc  = config.outputs.kernel.src;
+        modulesoupport = config.outputs.kernel.modulesupport;
+        kconfig = {
+          NFT_FIB_IPV4 = "m";
+          NFT_FIB_IPV6 = "m";
+          NF_TABLES = "m";
+          NF_CT_PROTO_DCCP = "y";
+          NF_CT_PROTO_SCTP = "y";
+          NF_CT_PROTO_UDPLITE = "y";
+          #          NF_CONNTRACK_FTP = "m";
+          NFT_CT = "m";
+        };
+        targets = [
+          "nft_fib_ipv4"
+          "nft_fib_ipv6"
+        ];
+      };
    in oneshot {
      name = "firewall";
-      up = config;
+      up = ''
+        sh ${kmodules}/load.sh
+        ${script};
+      '';
      down = "${pkgs.nftables}/bin/nft flush ruleset";
    };

--- a/pkgs/default.nix
+++ b/pkgs/default.nix
@ -54,4 +54,5 @@
  min-copy-closure = callPackage ./min-copy-closure {};
  hi = callPackage ./hi {};
  firewallgen  = callPackage ./firewallgen {};
+  kernel-modules  = callPackage ./kernel-modules {};
 }
--- a/pkgs/kernel-modules/Makefile
+++ b/pkgs/kernel-modules/Makefile
@ -0,0 +1,3 @@
+
+
+# obj-m += net/ipv4/netfilter/nft_fib_ipv4.o
--- a/pkgs/kernel-modules/default.nix
+++ b/pkgs/kernel-modules/default.nix
@ -0,0 +1,50 @@
+{
+  stdenv
+, buildPackages
+, kernelSrc  ? null
+, modulesupport ? null
+, targets ? []
+, kconfig ? {}
+, openssl
+, writeText
+, lib
+}:
+let
+  writeConfig = import ../kernel/write-kconfig.nix { inherit lib writeText; };
+in stdenv.mkDerivation {
+  name = "kernel-modules";
+
+  nativeBuildInputs = [buildPackages.stdenv.cc] ++
+                      (with buildPackages.pkgs; [
+                        bc bison flex
+                        openssl
+                        cpio
+                        kmod
+                      ]);
+  CC = "${stdenv.cc.bintools.targetPrefix}gcc";
+  HOST_EXTRACFLAGS = with buildPackages.pkgs;
+    "-I${buildPackages.openssl.dev}/include -L${buildPackages.openssl.out}/lib";
+  CROSS_COMPILE = stdenv.cc.bintools.targetPrefix;
+  ARCH = "mips";  # kernel uses "mips" here for both mips and mipsel
+  KBUILD_BUILD_HOST = "liminix.builder";
+
+  buildPhase = ''
+    cat ${writeConfig "kconfig" kconfig}  > .more-config
+    cat .more-config >> .config
+    make olddefconfig
+    for v in $(cat .more-config) ; do grep $v .config || (echo Missing $v && exit 1);done
+    # grep =m .config
+    make modules
+  '';
+  src =  modulesupport;
+  installPhase = ''
+    mkdir -p $out/lib/modules/0.0
+    find . -name \*.ko | cpio --verbose --make-directories -p $out/lib/modules/0.0
+    depmod -b $out -v 0.0
+    touch $out/load.sh
+    for i in ${lib.concatStringsSep " " targets}; do
+      modprobe -S 0.0 -d $out --show-depends $i >> $out/load.sh
+    done
+    tac < $out/load.sh | sed 's/^insmod/rmmod/g' > $out/unload.sh
+  '';
+}
--- a/pkgs/kernel/default.nix
+++ b/pkgs/kernel/default.nix
@ -96,6 +96,8 @@ stdenv.mkDerivation rec {
    cp vmlinux $out
    mkdir -p $headers
    cp -a include .config $headers/
+    mkdir -p $modulesupport
+    cp modules.* $modulesupport
    make clean modules_prepare
    cp -a . $modulesupport
  '';
				`@ -0,0 +1,3 @@`


				`# obj-m += net/ipv4/netfilter/nft_fib_ipv4.o`