Skip to content

Comments

nixos: add configuration for firewalld#205380

Closed
alaviss wants to merge 5 commits intoNixOS:stagingfrom
alaviss:firewalld
Closed

nixos: add configuration for firewalld#205380
alaviss wants to merge 5 commits intoNixOS:stagingfrom
alaviss:firewalld

Conversation

@alaviss
Copy link
Contributor

@alaviss alaviss commented Dec 9, 2022
edited
Loading

Description of changes

Add new module to allow for configuration of firewalld.

This PR contains a couple auxiliary fixes:

  • nftables: Fixed python module default SO import path.
  • firewalld: Fixed firewall-applet and networkmanager integration.

I can split this into other PRs if that's desired.

TODO (in a future PR, maybe):

  • Add an option to allow for overlaying extra default configurations. NetworkManager is known to ship with a zone configuration (disabled by default on NixOS, though).
  • Patch firewalld to let it load base config from the default config directory (ie. /lib/firewalld/firewalld.conf). This should allow for services.firewalld.config to be used in tandem with ordinary user configs.

Fixes #165882
Fixes #249609

Things done
  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 23.05 Release Notes (or backporting 22.11 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
    • (Release notes changes) Ran nixos/doc/manual/md-to-db.sh to update generated release notes
  • Fits CONTRIBUTING.md.

@github-actions github-actions bot added 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` labels Dec 9, 2022
@alaviss
Copy link
Contributor Author

alaviss commented Dec 9, 2022

@lukegb Please help me write tests for nftables python module :P

@ofborg ofborg bot added 10.rebuild-darwin: 11-100 This PR causes between 11 and 100 packages to rebuild on Darwin. 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-linux: 501-1000 This PR causes many rebuilds on Linux and should normally target the staging branches. labels Dec 9, 2022
@alaviss alaviss changed the base branch from master to staging December 9, 2022 22:57
@ofborg ofborg bot added the 8.has: package (new) This PR adds a new package label Jan 18, 2023
@nixos-discourse
Copy link

nixos-discourse commented Feb 10, 2023

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/prs-ready-for-review/3032/1813

@alaviss alaviss mentioned this pull request Sep 26, 2023
Merged
12 tasks
@wegank wegank added 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md 2.status: merge conflict This PR has merge conflicts with the target branch labels Mar 19, 2024
@stale stale bot removed the 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md label Mar 20, 2024
@Drakeguard Drakeguard mentioned this pull request Jun 24, 2024
Closed
@wegank wegank added the 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md label Jul 4, 2024
@deviantsemicolon
Copy link
Contributor

deviantsemicolon commented Jul 8, 2024

Will this get merged or is a new PR necessary?

@stale stale bot removed the 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md label Jul 8, 2024
@quentinmit
Copy link
Contributor

quentinmit commented Jul 8, 2024

Some of this was already merged, but it still needs more work. Here's the overlay I apply to get a working firewalld:

  firewalld = prev.firewalld.overrideAttrs (old: {
    # Patch /usr/lib, and fix typo in nm-connection-editor
    postPatch = ''
      substituteInPlace src/firewall/config/__init__.py.in \
        --replace "/usr/share" "$out/share" \
        --replace "/usr/lib/" "/run/current-system/sw/lib/"

      for file in config/firewall-{applet,config}.desktop.in; do
        substituteInPlace $file \
          --replace "/usr/bin/" "$out/bin/"
      done
      substituteInPlace src/firewall-applet.in \
        --replace "/usr/bin/nm-connection-editor" "${final.networkmanagerapplet}/bin/nm-connection-editor"
    '';
    # Make NM available for gobject-introspection
    buildInputs = old.buildInputs ++ [final.networkmanager];
    # Fix applet executable
    nativeBuildInputs = old.nativeBuildInputs ++ [final.libsForQt5.wrapQtAppsHook];
    dontWrapQtApps = true;
    preFixup = old.preFixup + ''
      makeWrapperArgs+=("''${qtWrapperArgs[@]}")
    '';
  });

@alaviss
Copy link
Contributor Author

alaviss commented Jul 8, 2024

I'm closing this PR to signal that I'm not planning to work on this anytime soon.

If anyone is interested, feel free to make a new PR based off the work done here.

@alaviss alaviss closed this Jul 8, 2024
@deviantsemicolon
Copy link
Contributor

deviantsemicolon commented Jul 11, 2024

Some of this was already merged, but it still needs more work. Here's the overlay I apply to get a working firewalld:

  firewalld = prev.firewalld.overrideAttrs (old: {
    # Patch /usr/lib, and fix typo in nm-connection-editor
    postPatch = ''
      substituteInPlace src/firewall/config/__init__.py.in \
        --replace "/usr/share" "$out/share" \
        --replace "/usr/lib/" "/run/current-system/sw/lib/"

      for file in config/firewall-{applet,config}.desktop.in; do
        substituteInPlace $file \
          --replace "/usr/bin/" "$out/bin/"
      done
      substituteInPlace src/firewall-applet.in \
        --replace "/usr/bin/nm-connection-editor" "${final.networkmanagerapplet}/bin/nm-connection-editor"
    '';
    # Make NM available for gobject-introspection
    buildInputs = old.buildInputs ++ [final.networkmanager];
    # Fix applet executable
    nativeBuildInputs = old.nativeBuildInputs ++ [final.libsForQt5.wrapQtAppsHook];
    dontWrapQtApps = true;
    preFixup = old.preFixup + ''
      makeWrapperArgs+=("''${qtWrapperArgs[@]}")
    '';
  });

the modules were merged? i don't see any in nixos options

@nixos-discourse
Copy link

nixos-discourse commented Jul 17, 2024

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/firewalld-systemd-service/49129/8

@Pamalosebi Pamalosebi mentioned this pull request Nov 4, 2024
Open
@Prince213 Prince213 mentioned this pull request Apr 15, 2025
Merged
17 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ajs124 ajs124 Awaiting requested review from ajs124

@SuperSandro2000 SuperSandro2000 Awaiting requested review from SuperSandro2000

@Izorkin Izorkin Awaiting requested review from Izorkin

Assignees

No one assigned

Labels

2.status: merge conflict This PR has merge conflicts with the target branch 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` 8.has: package (new) This PR adds a new package 10.rebuild-darwin: 11-100 This PR causes between 11 and 100 packages to rebuild on Darwin. 10.rebuild-linux: 501-1000 This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

firewalld

5 participants

@alaviss @nixos-discourse @deviantsemicolon @quentinmit @wegank