From 843e1f6c1ea9702c57b690eff0d1979207e49872 Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <eelco.dolstra@logicblox.com>
Date: Wed, 9 Mar 2011 12:28:44 +0000
Subject: [PATCH] * Cleanup.

svn path=/nixos/trunk/; revision=26228
---
 modules/services/networking/firewall.nix | 26 ++++++++++++------------
 modules/tasks/network-interfaces.nix     |  3 ++-
 2 files changed, 15 insertions(+), 14 deletions(-)

diff --git a/modules/services/networking/firewall.nix b/modules/services/networking/firewall.nix
index 28c43ef33707..6cefd0e7d076 100644
--- a/modules/services/networking/firewall.nix
+++ b/modules/services/networking/firewall.nix
@@ -4,8 +4,6 @@ with pkgs.lib;
 
 let
 
-  iptables = "${pkgs.iptables}/sbin/iptables";
-
   cfg = config.networking.firewall;
 
 in
@@ -76,47 +74,49 @@ in
   # holds).
   config = mkIf config.networking.firewall.enable {
 
-    environment.systemPackages = [pkgs.iptables];
+    environment.systemPackages = [ pkgs.iptables ];
 
     jobs.firewall =
       { startOn = "started network-interfaces";
 
+        path = [ pkgs.iptables ];
+
         preStart =
           ''
-            ${iptables} -F
+            iptables -F
 
             # Accept all traffic on the loopback interface.
-            ${iptables} -A INPUT -i lo -j ACCEPT
+            iptables -A INPUT -i lo -j ACCEPT
 
             # Accept packets from established or related connections.
-            ${iptables} -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+            iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
 
             # Accept connections to the allowed TCP ports.            
             ${concatMapStrings (port:
                 ''
-                  ${iptables} -A INPUT -p tcp --dport ${toString port} -j ACCEPT
+                  iptables -A INPUT -p tcp --dport ${toString port} -j ACCEPT
                 ''
               ) config.networking.firewall.allowedTCPPorts
             }
 
             # Accept multicast.  Not a big security risk since
             # probably nobody is listening anyway.
-            ${iptables} -A INPUT -d 224.0.0.0/4 -j ACCEPT
+            iptables -A INPUT -d 224.0.0.0/4 -j ACCEPT
 
             # Drop everything else.
             ${optionalString cfg.logRefusedConnections ''
-              ${iptables} -A INPUT -p tcp --syn -j LOG --log-level info --log-prefix "rejected connection: "
+              iptables -A INPUT -p tcp --syn -j LOG --log-level info --log-prefix "rejected connection: "
             ''}
             ${optionalString cfg.logRefusedPackets ''
-              ${iptables} -A INPUT -j LOG --log-level info --log-prefix "rejected packet: "
+              iptables -A INPUT -j LOG --log-level info --log-prefix "rejected packet: "
             ''}
-            ${iptables} -A INPUT -j ${if cfg.rejectPackets then "REJECT" else "DROP"}
+            iptables -A INPUT -j ${if cfg.rejectPackets then "REJECT" else "DROP"}
           '';
 
         postStop =
           ''
-            ${iptables} -F
-          '';     
+            iptables -F
+          '';
       };
 
   };
diff --git a/modules/tasks/network-interfaces.nix b/modules/tasks/network-interfaces.nix
index 2a760decab98..cbac5a60b91a 100644
--- a/modules/tasks/network-interfaces.nix
+++ b/modules/tasks/network-interfaces.nix
@@ -162,9 +162,10 @@ in
 
         startOn = "stopped udevtrigger";
 
+        path = [ config.system.sbin.modprobe pkgs.iproute ];
+
         preStart =
           ''
-            export PATH=${config.system.sbin.modprobe}/sbin:${pkgs.iproute}/sbin:$PATH
             modprobe af_packet || true
 
             ${pkgs.lib.concatMapStrings (i: