load necessary kernel modules for firewall

examples/rotuer.nix

@@ -227,10 +227,32 @@ in rec {
   };
 
   services.firewall =
-    let config = pkgs.firewallgen "firewall.nft" (import ./rotuer-firewall.nix);
+    let
+      script= pkgs.firewallgen "firewall.nft" (import ./rotuer-firewall.nix);
+      kmodules = pkgs.kernel-modules.override {
+        kernelSrc  = config.outputs.kernel.src;
+        modulesoupport = config.outputs.kernel.modulesupport;
+        kconfig = {
+          NFT_FIB_IPV4 = "m";
+          NFT_FIB_IPV6 = "m";
+          NF_TABLES = "m";
+          NF_CT_PROTO_DCCP = "y";
+          NF_CT_PROTO_SCTP = "y";
+          NF_CT_PROTO_UDPLITE = "y";
+          #          NF_CONNTRACK_FTP = "m";
+          NFT_CT = "m";
+        };
+        targets = [
+          "nft_fib_ipv4"
+          "nft_fib_ipv6"
+        ];
+      };
     in oneshot {
       name = "firewall";
-      up = config;
+      up = ''
+        sh ${kmodules}/load.sh
+        ${script};
+      '';
       down = "${pkgs.nftables}/bin/nft flush ruleset";
     };
 

pkgs/default.nix

@@ -54,4 +54,5 @@
   min-copy-closure = callPackage ./min-copy-closure {};
   hi = callPackage ./hi {};
   firewallgen  = callPackage ./firewallgen {};
+  kernel-modules  = callPackage ./kernel-modules {};
 }

pkgs/kernel-modules/Makefile

@@ -0,0 +1,3 @@
+
+
+# obj-m += net/ipv4/netfilter/nft_fib_ipv4.o

pkgs/kernel-modules/default.nix

@@ -0,0 +1,50 @@
+{
+  stdenv
+, buildPackages
+, kernelSrc  ? null
+, modulesupport ? null
+, targets ? []
+, kconfig ? {}
+, openssl
+, writeText
+, lib
+}:
+let
+  writeConfig = import ../kernel/write-kconfig.nix { inherit lib writeText; };
+in stdenv.mkDerivation {
+  name = "kernel-modules";
+
+  nativeBuildInputs = [buildPackages.stdenv.cc] ++
+                      (with buildPackages.pkgs; [
+                        bc bison flex
+                        openssl
+                        cpio
+                        kmod
+                      ]);
+  CC = "${stdenv.cc.bintools.targetPrefix}gcc";
+  HOST_EXTRACFLAGS = with buildPackages.pkgs;
+    "-I${buildPackages.openssl.dev}/include -L${buildPackages.openssl.out}/lib";
+  CROSS_COMPILE = stdenv.cc.bintools.targetPrefix;
+  ARCH = "mips";  # kernel uses "mips" here for both mips and mipsel
+  KBUILD_BUILD_HOST = "liminix.builder";
+
+  buildPhase = ''
+    cat ${writeConfig "kconfig" kconfig}  > .more-config
+    cat .more-config >> .config
+    make olddefconfig
+    for v in $(cat .more-config) ; do grep $v .config || (echo Missing $v && exit 1);done
+    # grep =m .config
+    make modules
+  '';
+  src =  modulesupport;
+  installPhase = ''
+    mkdir -p $out/lib/modules/0.0
+    find . -name \*.ko | cpio --verbose --make-directories -p $out/lib/modules/0.0
+    depmod -b $out -v 0.0
+    touch $out/load.sh
+    for i in ${lib.concatStringsSep " " targets}; do
+      modprobe -S 0.0 -d $out --show-depends $i >> $out/load.sh
+    done
+    tac < $out/load.sh | sed 's/^insmod/rmmod/g' > $out/unload.sh
+  '';
+}

pkgs/kernel/default.nix

@@ -96,6 +96,8 @@ stdenv.mkDerivation rec {
     cp vmlinux $out
     mkdir -p $headers
     cp -a include .config $headers/
+    mkdir -p $modulesupport
+    cp modules.* $modulesupport
     make clean modules_prepare
     cp -a . $modulesupport
   '';