Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable work variant firewall with iptables-compat #66953

Merged
merged 4 commits into from Sep 22, 2019
Merged

Enable work variant firewall with iptables-compat #66953

merged 4 commits into from Sep 22, 2019

Conversation

Izorkin
Copy link
Contributor

@Izorkin Izorkin commented Aug 19, 2019
edited

Motivation for this change

Enable work variant firewall and fail2ban with iptables-compat - nftables compatibility.

Example configuration:

  services.fail2ban = {
    enable = true;
    packageFirewall = pkgs.iptables-compat;
    jails = {
      DEFAULT = ''
        enabled  = true
      '';
      ssh-iptables = ''
        enabled  = true
      '';
    };
  };

  networking.firewall.enable = true;
  networking.firewall.package = pkgs.iptables-compat;

Work tested in a virtual machine.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nix-review --run "nix-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.
Notify maintainers

cc @

@Izorkin
Copy link
Contributor Author

Izorkin commented Aug 19, 2019

@GrahamcOfBorg build iptables iptables-compat

@ofborg ofborg bot requested review from lovek323 and fpletz August 19, 2019 17:48
aanderse
aanderse requested changes Aug 20, 2019
View reviewed changes
Copy link
Member

@aanderse aanderse left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Izorkin overall looks like a good change 👍 I don't know enough about the networking stack to merge this, but we can ping a few people and try to get a good thorough review+merge.

nixos/modules/services/security/fail2ban.nix Outdated Show resolved Hide resolved
FRidh
FRidh requested changes Aug 31, 2019
View reviewed changes
Copy link
Member

@FRidh FRidh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The package options are good I think. Not sure about always building the variant nor renaming the package. Can't judge the rest of the PR.

pkgs/os-specific/linux/iptables/default.nix Outdated Show resolved Hide resolved
pkgs/top-level/all-packages.nix Outdated Show resolved Hide resolved
@Izorkin Izorkin force-pushed the iptables-compat branch 2 times, most recently from 0695629 to 00b86ae Compare September 1, 2019 09:45
@Izorkin
Copy link
Contributor Author

Izorkin commented Sep 1, 2019

Updated default configuration in the serice fail2ban. Added custom options: banaction, bantime-increment, bantime-increment-config.
The bantime-increment option is for version fail2ban 0.11
@aanderse please review update.

@aanderse
Copy link
Member

aanderse commented Sep 2, 2019

@Izorkin you should ask @FRidh and those more familiar with this module approve this PR. Unfortunately I don't know enough to say yes.

@Izorkin Izorkin changed the title Enable work variant firewall and fail2ban with iptables-compat Enable work variant firewall with iptables-compat Sep 3, 2019
@Izorkin
Copy link
Contributor Author

Izorkin commented Sep 3, 2019

Moved fail2ban changes to PR #67931

@Izorkin Izorkin requested a review from FRidh September 7, 2019 18:57
@Mic92 Mic92 merged commit 8c7667c into NixOS:staging Sep 22, 2019
@Izorkin
Copy link
Contributor Author

Izorkin commented Sep 22, 2019

@Mic92 thanks!

dtzWill pushed a commit to dtzWill/nixpkgs that referenced this pull request Sep 22, 2019
@Mic92 @dtzWill
Enable work variant firewall with iptables-compat (NixOS#66953)
372439a 
Enable work variant firewall with iptables-compat

(cherry picked from commit 8c7667c)
@Izorkin Izorkin deleted the iptables-compat branch September 23, 2019 12:45
@misuzu misuzu mentioned this pull request Mar 4, 2020
Merged
10 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Mic92 Mic92 Mic92 left review comments

@aanderse aanderse aanderse requested changes

@lovek323 lovek323 Awaiting requested review from lovek323

@fpletz fpletz Awaiting requested review from fpletz

@FRidh FRidh Awaiting requested review from FRidh

Assignees
No one assigned
Labels
6.topic: nixos 8.has: module (update) 8.has: package (new) 10.rebuild-darwin: 101-500 10.rebuild-linux: 501+ 10.rebuild-linux: 5001+
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@Izorkin @aanderse @Mic92 @FRidh