nixos-firewall-tool: misc improvements (#365207)

NixOS · Dec 30, 2024 · 7323ca2 · 7323ca2
2 parents 33f8bb4 + d57da57
commit 7323ca2
Show file tree

Hide file tree

Showing 6 changed files with 170 additions and 89 deletions.
diff --git a/pkgs/by-name/ni/nixos-firewall-tool/nixos-firewall-tool b/pkgs/by-name/ni/nixos-firewall-tool/nixos-firewall-tool
@@ -0,0 +1,91 @@
+#!/usr/bin/env bash
+# vim: set tabstop=2 shiftwidth=2 expandtab:
+
+set -euo pipefail
+
+# Detect if iptables or nftables-based firewall is used.
+if [[ -e /etc/systemd/system/firewall.service ]]; then
+  BACKEND=iptables
+elif [[ -e /etc/systemd/system/nftables.service ]]; then
+  BACKEND=nftables
+else
+  echo "nixos-firewall-tool: cannot detect firewall backend" >&2
+  exit 1
+fi
+
+ip46tables() {
+  iptables -w "$@"
+  ip6tables -w "$@"
+}
+
+show_help() {
+  echo "nixos-firewall-tool
+
+A tool to temporarily manipulate the NixOS firewall
+
+Open TCP port:
+  nixos-firewall-tool open tcp 8888
+
+Open UDP port:
+  nixos-firewall-tool open udp 51820
+
+Show all firewall rules:
+  nixos-firewall-tool show
+
+Reset firewall configuration to system settings:
+  nixos-firewall-tool reset"
+}
+
+if [[ -z ${1+x} ]]; then
+  show_help
+  exit 1
+fi
+
+case $1 in
+  "open")
+    if [[ -z ${2+x} ]] || [[ -z ${3+x} ]]; then
+      show_help
+      exit 1
+    fi
+
+    protocol="$2"
+    port="$3"
+
+    case $BACKEND in
+      iptables)
+        ip46tables -I nixos-fw -p "$protocol" --dport "$port" -j nixos-fw-accept
+        ;;
+      nftables)
+        nft add element inet nixos-fw "temp-ports" "{ $protocol . $port }"
+        ;;
+    esac
+  ;;
+  "show")
+    case $BACKEND in
+      iptables)
+        ip46tables --numeric --list nixos-fw
+        ;;
+      nftables)
+        nft list table inet nixos-fw
+        ;;
+    esac
+  ;;
+  "reset")
+    case $BACKEND in
+      iptables)
+        systemctl restart firewall.service
+        ;;
+      nftables)
+        nft flush set inet nixos-fw "temp-ports"
+        ;;
+    esac
+  ;;
+  -h|--help|help)
+    show_help
+    exit 0
+  ;;
+  *)
+    show_help
+    exit 1
+  ;;
+esac
diff --git a/pkgs/by-name/ni/nixos-firewall-tool/nixos-firewall-tool.1 b/pkgs/by-name/ni/nixos-firewall-tool/nixos-firewall-tool.1
@@ -0,0 +1,17 @@
+.TH nixos-firewall-tool 1
+.SH NAME
+nixos-firewall-tool \- a tool to temporarily manipulate the NixOS firewall
+.SH SYNOPSIS
+nixos-firewall-tool \fIsubcommand\fR
+
+Open TCP port:
+  nixos-firewall-tool open tcp 8888
+
+Open UDP port:
+  nixos-firewall-tool open udp 51820
+
+Show all firewall rules:
+  nixos-firewall-tool show
+
+Reset firewall configuration to system settings:
+  nixos-firewall-tool reset
diff --git a/pkgs/by-name/ni/nixos-firewall-tool/nixos-firewall-tool.bash b/pkgs/by-name/ni/nixos-firewall-tool/nixos-firewall-tool.bash
@@ -0,0 +1,20 @@
+_nixos_firewall_tool() {
+  case "${COMP_CWORD}" in
+    1)
+      COMPREPLY=($(compgen -W "open show reset" -- "${COMP_WORDS[1]}"))
+      ;;
+    2)
+      case "${COMP_WORDS[1]}" in
+        "open")
+          COMPREPLY=($(compgen -W "tcp udp" -- "${COMP_WORDS[2]}"))
+          ;;
+        *)
+          ;;
+      esac
+      ;;
+    *)
+      ;;
+  esac
+}
+
+complete -F _nixos_firewall_tool nixos-firewall-tool
diff --git a/pkgs/by-name/ni/nixos-firewall-tool/nixos-firewall-tool.fish b/pkgs/by-name/ni/nixos-firewall-tool/nixos-firewall-tool.fish
@@ -0,0 +1,5 @@
+complete -c nixos-firewall-tool -f
+complete -c nixos-firewall-tool -k -a reset -d 'Reset firewall configuration to system settings' -n "__fish_is_first_token"
+complete -c nixos-firewall-tool -k -a show -d 'Show all firewall rules' -n "__fish_is_first_token"
+complete -c nixos-firewall-tool -k -a open -d 'Open a port temporarily' -n "__fish_is_first_token"
+complete -c nixos-firewall-tool -k -a "tcp udp" -n "__fish_seen_subcommand_from open && __fish_is_nth_token 2"
diff --git a/pkgs/by-name/ni/nixos-firewall-tool/nixos-firewall-tool.sh b/pkgs/by-name/ni/nixos-firewall-tool/nixos-firewall-tool.sh
diff --git a/pkgs/by-name/ni/nixos-firewall-tool/package.nix b/pkgs/by-name/ni/nixos-firewall-tool/package.nix
@@ -1,17 +1,50 @@
-{ writeShellApplication, lib }:
+{
+  stdenvNoCC,
+  lib,
+  bash,
+  installShellFiles,
+  shellcheck-minimal,
+}:
 
-writeShellApplication {
+stdenvNoCC.mkDerivation rec {
   name = "nixos-firewall-tool";
 
-  text = builtins.readFile ./nixos-firewall-tool.sh;
+  src = lib.fileset.toSource {
+    root = ./.;
+    fileset = lib.fileset.fileFilter (file: !file.hasExt "nix") ./.;
+  };
+
+  strictDeps = true;
+  buildInputs = [ bash ];
+  nativeBuildInputs = [ installShellFiles ];
+
+  postPatch = ''
+    patchShebangs --host nixos-firewall-tool
+  '';
+
+  installPhase = ''
+    installBin nixos-firewall-tool
+    installManPage nixos-firewall-tool.1
+    installShellCompletion nixos-firewall-tool.{bash,fish}
+  '';
+
+  # Skip shellcheck if GHC is not available, see writeShellApplication.
+  doCheck =
+    lib.meta.availableOn stdenvNoCC.buildPlatform shellcheck-minimal.compiler
+    && (builtins.tryEval shellcheck-minimal.compiler.outPath).success;
+  checkPhase = ''
+    ${lib.getExe shellcheck-minimal} nixos-firewall-tool
+  '';
 
   meta = with lib; {
-    description = "Temporarily manipulate the NixOS firewall";
+    description = "A tool to temporarily manipulate the NixOS firewall";
     license = licenses.mit;
     maintainers = with maintainers; [
       clerie
       rvfg
       garyguo
     ];
+    platforms = platforms.linux;
+    mainProgram = "nixos-firewall-tool";
   };
 }