Skip to content

Commit

Permalink
nixos/opensnitch: Add option to configure rules
Browse files Browse the repository at this point in the history
  • Loading branch information
@onny
onny authored and Yt committed Nov 28, 2022
1 parent 11fdcb1 commit 3aff916
Show file tree
Hide file tree
Showing 3 changed files with 74 additions and 16 deletions.
5 changes: 4 additions & 1 deletion nixos/doc/manual/from_md/release-notes/rl-2305.section.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -83,7 +83,10 @@
<itemizedlist spacing="compact">
<listitem>
<para>
Create the first release note entry in this section!
The module for the application firewall
<literal>opensnitch</literal> got the ability to configure
rules. Available as
<link linkend="opt-services.opensnitch.rules">services.opensnitch.rules</link>
</para>
</listitem>
</itemizedlist>
Expand Down
2 changes: 1 addition & 1 deletion nixos/doc/manual/release-notes/rl-2305.section.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,4 +33,4 @@ In addition to numerous new and upgraded packages, this release has the followin

<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->

- Create the first release note entry in this section!
- The module for the application firewall `opensnitch` got the ability to configure rules. Available as [services.opensnitch.rules](#opt-services.opensnitch.rules)
83 changes: 69 additions & 14 deletions nixos/modules/services/security/opensnitch.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,10 +5,47 @@ with lib;
let
cfg = config.services.opensnitch;
format = pkgs.formats.json {};

predefinedRules = flip mapAttrs cfg.rules (name: cfg: {
file = pkgs.writeText "rule" (builtins.toJSON cfg);
});

in {
options = {
services.opensnitch = {
enable = mkEnableOption (lib.mdDoc "Opensnitch application firewall");
enable = mkEnableOption (mdDoc "Opensnitch application firewall");

rules = mkOption {
default = {};
example = literalExpression ''
{
"tor" = {
"name" = "tor";
"enabled" = true;
"action" = "allow";
"duration" = "always";
"operator" = {
"type" ="simple";
"sensitive" = false;
"operand" = "process.path";
"data" = "''${lib.getBin pkgs.tor}/bin/tor";
};
};
};
'';

description = mdDoc ''
Declarative configuration of firewall rules.
All rules will be stored in `/var/lib/opensnitch/rules`.
See [upstream documentation](https://github.com/evilsocket/opensnitch/wiki/Rules)
for available options.
'';

type = types.submodule {
freeformType = format.type;
};
};

settings = mkOption {
type = types.submodule {
freeformType = format.type;
Expand All @@ -18,15 +55,15 @@ in {

Address = mkOption {
type = types.str;
description = lib.mdDoc ''
description = mdDoc ''
Unix socket path (unix:///tmp/osui.sock, the "unix:///" part is
mandatory) or TCP socket (192.168.1.100:50051).
'';
};

LogFile = mkOption {
type = types.path;
description = lib.mdDoc ''
description = mdDoc ''
File to write logs to (use /dev/stdout to write logs to standard
output).
'';
Expand All @@ -36,7 +73,7 @@ in {

DefaultAction = mkOption {
type = types.enum [ "allow" "deny" ];
description = lib.mdDoc ''
description = mdDoc ''
Default action whether to block or allow application internet
access.
'';
Expand All @@ -46,36 +83,36 @@ in {
type = types.enum [
"once" "always" "until restart" "30s" "5m" "15m" "30m" "1h"
];
description = lib.mdDoc ''
description = mdDoc ''
Default duration of firewall rule.
'';
};

InterceptUnknown = mkOption {
type = types.bool;
description = lib.mdDoc ''
description = mdDoc ''
Wheter to intercept spare connections.
'';
};

ProcMonitorMethod = mkOption {
type = types.enum [ "ebpf" "proc" "ftrace" "audit" ];
description = lib.mdDoc ''
description = mdDoc ''
Which process monitoring method to use.
'';
};

LogLevel = mkOption {
type = types.enum [ 0 1 2 3 4 ];
description = lib.mdDoc ''
description = mdDoc ''
Default log level from 0 to 4 (debug, info, important, warning,
error).
'';
};

Firewall = mkOption {
type = types.enum [ "iptables" "nftables" ];
description = lib.mdDoc ''
description = mdDoc ''
Which firewall backend to use.
'';
};
Expand All @@ -84,24 +121,23 @@ in {

MaxEvents = mkOption {
type = types.int;
description = lib.mdDoc ''
description = mdDoc ''
Max events to send to the GUI.
'';
};

MaxStats = mkOption {
type = types.int;
description = lib.mdDoc ''
description = mdDoc ''
Max stats per item to keep in backlog.
'';
};

};
};
};
description = lib.mdDoc ''
opensnitchd configuration. Refer to
<https://github.com/evilsocket/opensnitch/wiki/Configurations>
description = mdDoc ''
opensnitchd configuration. Refer to [upstream documentation](https://github.com/evilsocket/opensnitch/wiki/Configurations)
for details on supported values.
'';
};
Expand All @@ -118,6 +154,25 @@ in {
services.opensnitchd.wantedBy = [ "multi-user.target" ];
};

systemd.services.opensnitchd.preStart = mkIf (cfg.rules != {}) (let
rules = flip mapAttrsToList predefinedRules (file: content: {
inherit (content) file;
local = "/var/lib/opensnitch/rules/${file}.json";
});
in ''
# Remove all firewall rules from `/var/lib/opensnitch/rules` that are symlinks to a store-path,
# but aren't declared in `cfg.rules` (i.e. all networks that were "removed" from
# `cfg.rules`).
find /var/lib/opensnitch/rules -type l -lname '${builtins.storeDir}/*' ${optionalString (rules != {}) ''
-not \( ${concatMapStringsSep " -o " ({ local, ... }:
"-name '${baseNameOf local}*'")
rules} \) \
''} -delete
${concatMapStrings ({ file, local }: ''
ln -sf '${file}' "${local}"
'') rules}
'');

environment.etc."opensnitchd/default-config.json".source = format.generate "default-config.json" cfg.settings;

};
Expand Down

0 comments on commit 3aff916

Please sign in to comment.