tv iptables: add extra{4,6}

2019-02-10 14:22:54 +01:00 · 2019-02-10 14:22:54 +01:00 · 8371e21c10
commit 8371e21c10
parent d3b23eac6e
1 changed files with 42 additions and 13 deletions
--- a/tv/3modules/iptables.nix
+++ b/tv/3modules/iptables.nix
@ -9,6 +9,33 @@ let {
    config = lib.mkIf cfg.enable imp;
  };

+  extraTypes = {
+    rules = types.submodule {
+      options = {
+        nat.OUTPUT = mkOption {
+          type = with types; listOf str;
+          default = [];
+        };
+        nat.PREROUTING = mkOption {
+          type = with types; listOf str;
+          default = [];
+        };
+        nat.POSTROUTING = mkOption {
+          type = with types; listOf str;
+          default = [];
+        };
+        filter.FORWARD = mkOption {
+          type = with types; listOf str;
+          default = [];
+        };
+        filter.INPUT = mkOption {
+          type = with types; listOf str;
+          default = [];
+        };
+      };
+    };
+  };
+
  api = {
    enable = mkEnableOption "tv.iptables";

@ -37,19 +64,19 @@ let {
      default = [];
    };

-    extra = {
-      nat.POSTROUTING = mkOption {
-        type = with types; listOf str;
-        default = [];
-      };
-      filter.FORWARD = mkOption {
-        type = with types; listOf str;
-        default = [];
-      };
-      filter.INPUT = mkOption {
-        type = with types; listOf str;
-        default = [];
-      };
+    extra = mkOption {
+      default = {};
+      type = extraTypes.rules;
+    };
+
+    extra4 = mkOption {
+      default = {};
+      type = extraTypes.rules;
+    };
+
+    extra6 = mkOption {
+      default = {};
+      type = extraTypes.rules;
    };
  };

@ -112,6 +139,7 @@ let {
        "-o lo -p tcp -m tcp --dport 11423 -j REDIRECT --to-ports 22"
      ]}
      ${formatTable cfg.extra.nat}
+      ${formatTable cfg."extra${toString iptables-version}".nat}
      COMMIT
      *filter
      :INPUT DROP [0:0]
@ -129,6 +157,7 @@ let {
        ++ ["-i retiolum -j Retiolum"]
      )}
      ${formatTable cfg.extra.filter}
+      ${formatTable cfg."extra${toString iptables-version}".filter}
      ${concatMapStringsSep "\n" (rule: "-A Retiolum ${rule}") ([]
        ++ optional (cfg.accept-echo-request == "retiolum") accept-echo-request
        ++ map accept-tcp (unique (map toString cfg.input-retiolum-accept-tcp))