From 6101f3f3d823c35d8b7e16341f7b37b6cb9508f6 Mon Sep 17 00:00:00 2001 From: Daniel Barlow Date: Tue, 27 Jun 2023 21:17:04 +0100 Subject: [PATCH] load necessary kernel modules for firewall --- examples/rotuer.nix | 26 +++++++++++++++-- pkgs/default.nix | 1 + pkgs/kernel-modules/Makefile | 3 ++ pkgs/kernel-modules/default.nix | 50 +++++++++++++++++++++++++++++++++ pkgs/kernel/default.nix | 2 ++ 5 files changed, 80 insertions(+), 2 deletions(-) create mode 100644 pkgs/kernel-modules/Makefile create mode 100644 pkgs/kernel-modules/default.nix diff --git a/examples/rotuer.nix b/examples/rotuer.nix index d9da607..759ae4f 100644 --- a/examples/rotuer.nix +++ b/examples/rotuer.nix @@ -227,10 +227,32 @@ in rec { }; services.firewall = - let config = pkgs.firewallgen "firewall.nft" (import ./rotuer-firewall.nix); + let + script= pkgs.firewallgen "firewall.nft" (import ./rotuer-firewall.nix); + kmodules = pkgs.kernel-modules.override { + kernelSrc = config.outputs.kernel.src; + modulesoupport = config.outputs.kernel.modulesupport; + kconfig = { + NFT_FIB_IPV4 = "m"; + NFT_FIB_IPV6 = "m"; + NF_TABLES = "m"; + NF_CT_PROTO_DCCP = "y"; + NF_CT_PROTO_SCTP = "y"; + NF_CT_PROTO_UDPLITE = "y"; + # NF_CONNTRACK_FTP = "m"; + NFT_CT = "m"; + }; + targets = [ + "nft_fib_ipv4" + "nft_fib_ipv6" + ]; + }; in oneshot { name = "firewall"; - up = config; + up = '' + sh ${kmodules}/load.sh + ${script}; + ''; down = "${pkgs.nftables}/bin/nft flush ruleset"; }; diff --git a/pkgs/default.nix b/pkgs/default.nix index d60ec95..8b8db76 100644 --- a/pkgs/default.nix +++ b/pkgs/default.nix @@ -54,4 +54,5 @@ min-copy-closure = callPackage ./min-copy-closure {}; hi = callPackage ./hi {}; firewallgen = callPackage ./firewallgen {}; + kernel-modules = callPackage ./kernel-modules {}; } diff --git a/pkgs/kernel-modules/Makefile b/pkgs/kernel-modules/Makefile new file mode 100644 index 0000000..ac6930d --- /dev/null +++ b/pkgs/kernel-modules/Makefile @@ -0,0 +1,3 @@ + + +# obj-m += net/ipv4/netfilter/nft_fib_ipv4.o diff --git a/pkgs/kernel-modules/default.nix b/pkgs/kernel-modules/default.nix new file mode 100644 index 0000000..8113fcc --- /dev/null +++ b/pkgs/kernel-modules/default.nix @@ -0,0 +1,50 @@ +{ + stdenv +, buildPackages +, kernelSrc ? null +, modulesupport ? null +, targets ? [] +, kconfig ? {} +, openssl +, writeText +, lib +}: +let + writeConfig = import ../kernel/write-kconfig.nix { inherit lib writeText; }; +in stdenv.mkDerivation { + name = "kernel-modules"; + + nativeBuildInputs = [buildPackages.stdenv.cc] ++ + (with buildPackages.pkgs; [ + bc bison flex + openssl + cpio + kmod + ]); + CC = "${stdenv.cc.bintools.targetPrefix}gcc"; + HOST_EXTRACFLAGS = with buildPackages.pkgs; + "-I${buildPackages.openssl.dev}/include -L${buildPackages.openssl.out}/lib"; + CROSS_COMPILE = stdenv.cc.bintools.targetPrefix; + ARCH = "mips"; # kernel uses "mips" here for both mips and mipsel + KBUILD_BUILD_HOST = "liminix.builder"; + + buildPhase = '' + cat ${writeConfig "kconfig" kconfig} > .more-config + cat .more-config >> .config + make olddefconfig + for v in $(cat .more-config) ; do grep $v .config || (echo Missing $v && exit 1);done + # grep =m .config + make modules + ''; + src = modulesupport; + installPhase = '' + mkdir -p $out/lib/modules/0.0 + find . -name \*.ko | cpio --verbose --make-directories -p $out/lib/modules/0.0 + depmod -b $out -v 0.0 + touch $out/load.sh + for i in ${lib.concatStringsSep " " targets}; do + modprobe -S 0.0 -d $out --show-depends $i >> $out/load.sh + done + tac < $out/load.sh | sed 's/^insmod/rmmod/g' > $out/unload.sh + ''; +} diff --git a/pkgs/kernel/default.nix b/pkgs/kernel/default.nix index 0d69792..b2b8b9f 100644 --- a/pkgs/kernel/default.nix +++ b/pkgs/kernel/default.nix @@ -96,6 +96,8 @@ stdenv.mkDerivation rec { cp vmlinux $out mkdir -p $headers cp -a include .config $headers/ + mkdir -p $modulesupport + cp modules.* $modulesupport make clean modules_prepare cp -a . $modulesupport '';