[Nix-dev] firewall.nix builds a broken firewall when IPv6 is disabled

Pablo Costa modulistic at gmail.com
Tue Sep 18 23:04:02 CEST 2012 

Hi!

I have been disabling IPv6 on my machines from the very beginning of
it being supported by GNU/Linux distros. I wrote some information
about how to achieve this on NixOS on [1] and [2].

I have been playing with the firewall and I realized it was not
working at all, there were no rules on any chain and the default
policies were set to ACCEPT on all three main chains.

I tried to figure out how the firewall is implemented in NixOS and
ended up on [3] and then realizing this file serves to build the
upstart service described in [4].

There is a shell function on these files named ip46tables that serves
to set a rule on iptables and ip6tables in one single shot. The call
to ip6tables is the last command on the function so the exit status of
this command is passed to the caller.

When IPv6 is disabled, ip6tables yields a non-zero exit status. I have
not dug deeper on the fine details because the shell function is
already lacking, given that there is something called
networking.enableIPv6 defined somewhere else :)

You can see I am still quite ignorant on this Nix/NixOS stuff, but I
have replaced the OpenSUSE on my laptop so I have no choice but to get
used to this as fast as possible xD

So I have made a patch for [3] that I am attaching below, but I have
no idea yet of how to test it. I have just copied what I have seen on
other random nix expressions in hope that it will end up working and
that in the process I will learn how to set my testing environment and
provide NixOS with more respectable patches :)

I have been lurking on the list and on the irc channel for some time,
and I have read some papers and stuff on the web about Nix and NixOS,
but I have put aside the project for some time and I my [long term]
memory is quite volatile. That's it.

Here's my patch! Cheers everybody!

[1] https://nixos.org/wiki/Disabling_IPv6
[2] https://nixos.org/wiki/Talk:Disabling_IPv6
[3] /nix/var/nix/profiles/per-user/root/channels/nixos/nixos/modules/services/networking/firewall.nix
[4] /etc/init/firewall.conf

BTW -- this patch applies to my nix-channel --update from this
morning! Doesn't sound as a good reference, does it?! xD

32c32
<     ''
---
>     ${if config.enableIPv6 then ''
37a38,42
>     '' else ''
>       # This dumb function is a minor overhead when ipv6 is disabled
>       ip46tables() {
>         iptables "$@"
>       }
38a44
>     }

More information about the nix-dev mailing list