enable = true;
configs = {
"shorewall.conf" = ''
- ${readFile "${shorewall.package}/etc/shorewall/shorewall.conf"}
+ ${readFile "${shorewall.package}/etc-example/shorewall/shorewall.conf"}
#
## Custom config
###
enable = true;
configs = {
"shorewall6.conf" = ''
- ${readFile "${shorewall6.package}/etc/shorewall6/shorewall6.conf"}
+ ${readFile "${shorewall6.package}/etc-example/shorewall6/shorewall6.conf"}
#
## Custom config
###
# https://github.com/NixOS/nixpkgs/pull/46859
overlays/lib/strings.nix
overlays/users-init.nix
- overlays/tools/networking/shorewall-core.nix
overlays/tools/networking/shorewall.nix
overlays/tools/networking/shorewall6.nix
#overlays/applications/version-management/redmine/redmine_git_hosting.nix
+++ /dev/null
-self: super: {
- shorewall-core = super.callPackage ./shorewall-core {};
-}
+++ /dev/null
-{ stdenv, fetchurl, perl }:
-
-stdenv.mkDerivation rec {
- baseName = "shorewall-core";
- version = "5.2.0.5";
- name = "${baseName}-${version}";
-
- src = fetchurl {
- url = "http://www.shorewall.net/pub/shorewall/5.2/shorewall-5.2.0/${baseName}-${version}.tar.bz2";
- sha256 = "1156n42dz8g44d7f336dn7q97xcq6bl18b2gv2diydv02lc8fqbd";
- };
-
- buildInputs = [
- perl
- ];
- configurePhase = ''
- substituteInPlace ./configure --replace '#!/bin/bash' ${stdenv.shell}
- ./configure \
- HOST=linux \
- PREFIX=$out \
- CONFDIR=\$PREFIX/etc \
- SBINDIR=\$PREFIX/sbin \
- SYSCONFDIR=\$PREFIX/etc/default \
- VARLIB=/var/lib \
- INITSOURCE= \
- INITDIR= \
- INITFILE= \
- DEFAULT_PAGER=
- '';
- installPhase = ''
- substituteInPlace ./install.sh --replace '#!/bin/sh' ${stdenv.shell}
- ./install.sh
- # Remove hardcoded PATH
- sed -i $out/share/shorewall/lib.cli \
- -e '/^ *PATH=.*/d'
- '';
-
- meta = {
- homepage = http://www.shorewall.net/;
- description = "A gateway/firewall configuration tool for GNU/Linux";
- longDescription = ''
- Shorewall is a high-level tool for configuring Netfilter. You describe your
- firewall/gateway requirements using entries in a set of configuration
- files. Shorewall reads those configuration files and with the help of the
- iptables, iptables-restore, ip and tc utilities, Shorewall configures
- Netfilter and the Linux networking subsystem to match your requirements.
- Shorewall can be used on a dedicated firewall system, a multi-function
- gateway/router/server or on a standalone GNU/Linux system. Shorewall does
- not use Netfilter's ipchains compatibility mode and can thus take
- advantage of Netfilter's connection state tracking capabilities.
- '';
- license = stdenv.lib.licenses.gpl2Plus;
- platforms = stdenv.lib.platforms.linux;
- };
-}
-{ stdenv
+{ coreutils
+, ebtables
, fetchurl
-, perl
-, perlPackages
-, coreutils
+, gnugrep
+, gnused
, iproute
, ipset
, iptables
-, ebtables
-, shorewall-core
+, perl
+, perlPackages
+, stdenv
+, tree
, utillinux
-, gnugrep
-, gnused
}:
let
PATH = stdenv.lib.concatStringsSep ":"
in
stdenv.mkDerivation rec {
baseName = "shorewall";
- version = "5.2.0.5";
+ version = "5.2.3.3";
name = "${baseName}-${version}";
- src = fetchurl {
- url = "http://www.shorewall.net/pub/shorewall/5.2/shorewall-5.2.0/${baseName}-${version}.tar.bz2";
- sha256 = "005qv6kybk1jn1i63rchf86kwbxwwn463cxkp03q0mpc0cnj018w";
- };
+ srcs = [
+ (fetchurl {
+ url = "http://www.shorewall.net/pub/shorewall/5.2/shorewall-5.2.3/shorewall-core-${version}.tar.bz2";
+ sha256 = "1gg2yfxzm3y9qqjrrg5nq2ggi1c6yfxx0s7fvwjw70b185mwa5p5";
+ })
+ (fetchurl {
+ url = "http://www.shorewall.net/pub/shorewall/5.2/shorewall-5.2.3/shorewall-${version}.tar.bz2";
+ sha256 = "1ka70pa3s0cnvc83rlm57r05cdv9idnxnq0vmxi6nr7razak5f3b";
+ })
+ (fetchurl {
+ url = "http://www.shorewall.net/pub/shorewall/5.2/shorewall-5.2.3/shorewall6-${version}.tar.bz2";
+ sha256 = "0mhs4m6agwk082h1n69gnyfsjpycdd8215r4r9rzb3czs5xi087n";
+ })
+ ];
+ sourceRoot = ".";
buildInputs = [
coreutils
ipset
iptables
ebtables
- shorewall-core
utillinux
gnugrep
gnused
] ++ (with perlPackages; [
DigestSHA1
]);
+ prePatch = ''
+ # Patch configure and install.sh files
+ patchShebangs .
+
+ # Remove hardcoded PATH
+ sed -i shorewall-core-${version}/lib.cli \
+ -e '/^ *PATH=.*/d'
+ '';
configurePhase = ''
- substituteInPlace ./configure --replace '#!/bin/bash' ${stdenv.shell}
- PATH=$PATH:${shorewall-core}/bin \
- ./configure \
+ shorewall-core-${version}/configure \
HOST=linux \
PREFIX=$out \
- CONFDIR=\$PREFIX/etc \
+ CONFDIR=\$PREFIX/etc-example \
SBINDIR=\$PREFIX/sbin \
- SYSCONFDIR=\$PREFIX/etc/default \
+ SYSCONFDIR= \
+ SHAREDIR=\$PREFIX/share \
+ LIBEXECDIR=\$SHAREDIR \
+ PERLLIBDIR=\$SHAREDIR/shorewall \
+ MANDIR=$out/man \
VARLIB=/var/lib \
INITSOURCE= \
INITDIR= \
DEFAULT_PAGER=
'';
installPhase = ''
- # Merge with shorewall-core
- cp -r -s ${shorewall-core} $out
- chmod u+w $out $out/*/ $out/*/*/ $out/*/*/*/
- ln -fns bin $out/sbin
- # Install shorewallrc and shorewall
- cp --remove-destination shorewallrc $out/share/shorewall/
- substituteInPlace ./install.sh --replace '#!/bin/sh' ${stdenv.shell}
- ./install.sh
- cp ${shorewall-core}/sbin/shorewall $out/sbin/shorewall4
- ln -fns shorewall4 $out/sbin/shorewall
- # Actual config will be expected in /etc/shorewall
- sed -i $out/share/shorewall/shorewallrc \
- -e 's~^CONFDIR=.*~CONFDIR=/etc~'
- # Fix PATH
- sed -i $out/sbin/shorewall \
- -e 's~^\. ${shorewall-core}\(/share/shorewall/shorewallrc\)~. '$out'\1~' \
- -e 's~^PRODUCT=.*~&\nexport PATH=${PATH}''${PATH:+:}$PATH~'
- # Fix shorewall.conf
- sed -i $out/etc/shorewall/shorewall.conf \
+ export DESTDIR=/
+ shorewall-core-${version}/install.sh
+
+ ln -s ../shorewall-core-${version}/shorewallrc shorewall-${version}/
+ shorewall-${version}/install.sh
+
+ ln -s ../shorewall-core-${version}/shorewallrc shorewall6-${version}/
+ shorewall6-${version}/install.sh
+
+ # Patch the example shorewall{,6}.conf in case it is included
+ # in services.shorewall{,6}.configs
+ sed -i $out/etc-example/shorewall/shorewall.conf \
+ $out/etc-example/shorewall6/shorewall6.conf \
-e 's|^LOGFILE=.*|LOGFILE=/var/log/shorewall.log|' \
-e 's|^PATH=.*|PATH=${PATH}|' \
-e 's|^PERL=.*|PERL=${perl}/bin/perl|' \
-e 's|^SHOREWALL_SHELL=.*|SHOREWALL_SHELL=${stdenv.shell}|'
+ sed -i $out/etc-example/shorewall6/shorewall6.conf \
+ -e 's|^CONFIG_PATH=.*|CONFIG_PATH=:''${CONFDIR}/shorewall6:''${SHAREDIR}/shorewall6:''${SHAREDIR}/shorewall|'
# FIXME: the default GEOIPDIR=/usr/share/xt_geoip/LE may require attention.
+
+ # Redirect CONFDIR to /etc where services.shorewall{,6}.configs
+ # will generate the config files.
+ sed -i $out/share/shorewall/shorewallrc \
+ -e 's~^CONFDIR=.*~CONFDIR=/etc~'
'';
meta = {
type = types.bool;
default = false;
description = ''
- Whether to enable Shorewall Firewall.
- *Warning*: Enabling this service WILL disable the existing NixOS
- firewall! Default firewall rules provided by packages are not
- considered at the moment.
+ Whether to enable Shorewall IPv4 Firewall.
+ <warning>
+ <para>
+ Enabling this service WILL disable the existing NixOS
+ firewall! Default firewall rules provided by packages are not
+ considered at the moment.
+ </para>
+ </warning>
'';
};
package = lib.mkOption {
+++ /dev/null
-{ stdenv
-, fetchurl
-, perl
-, coreutils
-, iproute
-, ipset
-, iptables
-, ebtables
-, shorewall-core
-, shorewall
-, utillinux
-, gnugrep
-, gnused
-}:
-let
- PATH = stdenv.lib.concatStringsSep ":"
- [ "${coreutils}/bin"
- "${iproute}/bin"
- "${iptables}/bin"
- "${ipset}/bin"
- "${ebtables}/bin"
- "${utillinux}/bin"
- "${gnugrep}/bin"
- "${gnused}/bin"
- ];
-in
-stdenv.mkDerivation rec {
- baseName = "shorewall6";
- version = "5.2.0.5";
- name = "${baseName}-${version}";
-
- src = fetchurl {
- url = "http://www.shorewall.net/pub/shorewall/5.2/shorewall-5.2.0/${baseName}-${version}.tar.bz2";
- sha256 = "1a46jnr6wknlmfkhjpdvak85wj0mr99qn02r185qswhcyfwyaapl";
- };
-
- buildInputs = [
- coreutils
- iproute
- ipset
- iptables
- ebtables
- shorewall-core
- utillinux
- gnugrep
- gnused
- shorewall
- ];
- configurePhase = ''
- substituteInPlace ./configure --replace '#!/bin/bash' ${stdenv.shell}
- PATH=$PATH:${shorewall-core}/bin \
- ./configure \
- HOST=linux \
- PREFIX=$out \
- CONFDIR=\$PREFIX/etc \
- SBINDIR=\$PREFIX/sbin \
- SYSCONFDIR=\$PREFIX/etc/default \
- VARLIB=/var/lib \
- INITSOURCE= \
- INITDIR= \
- INITFILE= \
- DEFAULT_PAGER=
- '';
- installPhase = ''
- # Merge with shorewall and shorewall-core
- mkdir -p $out/share/
- cp -r -s ${shorewall}/share/shorewall $out/share/
- chmod u+w $out $out/*/ $out/*/*/ $out/*/*/*/
- mkdir $out/bin
- ln -fns bin $out/sbin
- # Install shorewallrc and shorewall6
- cp --remove-destination shorewallrc $out/share/shorewall/
- #ln -s ${shorewall}/share/shorewall/compiler.pl $out/share/shorewall/
- substituteInPlace ./install.sh --replace '#!/bin/sh' ${stdenv.shell}
- ./install.sh
- cp --remove-destination ${shorewall-core}/sbin/shorewall $out/sbin/shorewall6
- # Actual config will be expected in /etc/shorewall6
- sed -i $out/share/shorewall/shorewallrc \
- -e 's~^CONFDIR=.*~CONFDIR=/etc~'
- # Fix PATH
- sed -i $out/sbin/shorewall6 \
- -e 's~^\. ${shorewall-core}\(/share/shorewall/shorewallrc\)~. '$out'\1~' \
- -e 's~^PRODUCT=.*~&\nexport PATH=${PATH}''${PATH:+:}$PATH~'
- # Fix shorewall.conf
- sed -i $out/etc/shorewall6/shorewall6.conf \
- -e 's|^LOGFILE=.*|LOGFILE=/var/log/shorewall6.log|' \
- -e 's|^PATH=.*|PATH=${PATH}|' \
- -e 's|^PERL=.*|PERL=${perl}/bin/perl|' \
- -e 's|^SHOREWALL_SHELL=.*|SHOREWALL_SHELL=${stdenv.shell}|' \
- -e 's|^CONFIG_PATH=.*|CONFIG_PATH=:''${CONFDIR}/shorewall6:''${SHAREDIR}/shorewall6:''${SHAREDIR}/shorewall|'
- # NOTE: the CONFIG_PATH fix is because ''${SHAREDIR}/shorewall6
- # must replace the default /usr/share/shorewall6,
- # otherwise it can fail in subtle ways,
- # like using shorewall's macro.Ping instead of shorewall6's,
- # hence not using the right icmp-type (8 instead of 128 here).
- '';
-
- meta = {
- homepage = http://www.shorewall.net/;
- description = "An IPv6 gateway/firewall configuration tool for GNU/Linux";
- longDescription = ''
- Shorewall is a high-level tool for configuring Netfilter. You describe your
- firewall/gateway requirements using entries in a set of configuration
- files. Shorewall reads those configuration files and with the help of the
- iptables, iptables-restore, ip and tc utilities, Shorewall configures
- Netfilter and the Linux networking subsystem to match your requirements.
- Shorewall can be used on a dedicated firewall system, a multi-function
- gateway/router/server or on a standalone GNU/Linux system. Shorewall does
- not use Netfilter's ipchains compatibility mode and can thus take
- advantage of Netfilter's connection state tracking capabilities.
- '';
- license = stdenv.lib.licenses.gpl2Plus;
- platforms = stdenv.lib.platforms.linux;
- };
-}
type = types.bool;
default = false;
description = ''
- Whether to enable Shorewall Firewall.
- *Warning*: Enabling this service WILL disable the existing NixOS
- firewall! Default firewall rules provided by packages are not
- considered at the moment.
+ Whether to enable Shorewall IPv6 Firewall.
+ <warning>
+ <para>
+ Enabling this service WILL disable the existing NixOS
+ firewall! Default firewall rules provided by packages are not
+ considered at the moment.
+ </para>
+ </warning>
'';
};
package = lib.mkOption {
type = types.package;
- default = pkgs.shorewall6;
- defaultText = "pkgs.shorewall6";
- description = "The shorewall6 package to use.";
+ default = pkgs.shorewall;
+ defaultText = "pkgs.shorewall";
+ description = "The shorewall package to use.";
};
configs = lib.mkOption {
type = types.attrsOf types.str;
config = lib.mkIf cfg.enable {
systemd.services.firewall.enable = false;
systemd.services.shorewall6 = {
- description = "Shorewall IPv6 Firewall";
- after = [ "ipset.target" ];
- before = [ "network-pre.target" ];
- wants = [ "network-pre.target" ];
- wantedBy = [ "multi-user.target" ];
- reloadIfChanged = true;
- restartTriggers = lib.attrValues cfg.configs;
+ description = "Shorewall IPv6 Firewall";
+ after = [ "ipset.target" ];
+ before = [ "network-pre.target" ];
+ wants = [ "network-pre.target" ];
+ wantedBy = [ "multi-user.target" ];
+ reloadIfChanged = true;
+ restartTriggers = lib.attrValues cfg.configs;
serviceConfig = {
Type = "oneshot";
RemainAfterExit = "yes";
sourcephile / git / sourcephile-nix.git / commitdiff