support maps in firewallgen

2025-03-21 21:19:18 +00:00 · 2025-03-21 21:19:18 +00:00 · 0ae5689a40
commit 0ae5689a40
parent 45047dc023
2 changed files with 35 additions and 3 deletions
--- a/pkgs/firewallgen/default.nix
+++ b/pkgs/firewallgen/default.nix
@ -13,8 +13,8 @@ let
    optionalString
    ;
  inherit (lib.lists) groupBy;
-  inherit (lib.attrsets) mapAttrsToList;
-  inherit (builtins) map head tail;
+  inherit (lib.attrsets) attrsToList mapAttrsToList;
+  inherit (builtins) elemAt map head tail toString;

  indentLines =
    offset: lines:
@ -68,6 +68,25 @@ let
      }
    '';

+  domap =
+    {
+      name,
+      type,
+      elements ? [ ],
+      extraText ? null,
+      ...
+    }:
+      let
+        colonize = v:
+          let  ty = elemAt (attrsToList v) 0; in "${ty.name}: ${ty.value}";
+      in ''
+        map ${name}  {
+          type ${colonize type}
+          ${if elements != [ ] then "elements = { ${concatStringsSep ", " (mapAttrsToList (k: v : "${k}: ${toString v}") elements)} }" else ""}
+          ${optionalString (extraText != null) extraText}
+        }
+      '';
+
  dochainorset =
    {
      kind ? "chain",
@ -76,6 +95,7 @@ let
    {
      chain = dochain;
      set = doset;
+      map = domap;
    }
    .${kind}
      params;
--- a/pkgs/firewallgen/test-rules-min.nix
+++ b/pkgs/firewallgen/test-rules-min.nix
@ -151,6 +151,18 @@ in
      "eth0"
      "eth1"
    ];
-
  };
+
+  map-intf-limits-ip6 = {
+    name = "intf-limits";
+    kind = "map";
+    family = "ip6";
+    type = { ifname = "bytes"; };
+    elements = {
+      # XXX keys need to be generated from interface outputs
+      ppp0 = builtins.floor (70*1000*1000 * 0.05); # 5% of 70MB fttp connection
+      lan = builtins.floor (1000*1000*1000 * 0.05); # GB ethernet
+    };
+  };
+
 }