networking/nftables: enable flushing ruleset for older versions

Co-authored-by: Naïm Favier <n@monade.li>
author: Maciej Krüger <mkg20001@gmail.com> 2022-12-26 00:35:15 +0100
committer: Maciej Krüger <mkg20001@gmail.com> 2023-08-28 00:35:39 +0200
commit: cd3af25932425e1b1acfaad9c9ee85694fe70ae6 (patch)
tree: 514474a621cf6d35748da518c3179b5f6165aa23
parent: 311d2fa994565ab412681b9ab8cbb12054ab265a (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/nixos/modules/services/networking/nftables.nix b/nixos/modules/services/networking/nftables.nix
index 4bc115cd580c6..810dc22a20a8e 100644
--- a/nixos/modules/services/networking/nftables.nix
+++ b/nixos/modules/services/networking/nftables.nix
@@ -83,6 +83,8 @@ in
       '';
     };
 
+    networking.nftables.flushRuleset = mkEnableOption (lib.mdDoc "Flush the entire ruleset on each reload.");
+
     networking.nftables.ruleset = mkOption {
       type = types.lines;
       default = "";
@@ -209,6 +211,7 @@ in
     boot.blacklistedKernelModules = [ "ip_tables" ];
     environment.systemPackages = [ pkgs.nftables ];
     networking.networkmanager.firewallBackend = mkDefault "nftables";
+    networking.nftables.flushRuleset = mkDefault (versionOlder config.system.stateVersion "23.11");
     systemd.services.nftables = {
       description = "nftables firewall";
       before = [ "network-pre.target" ];
@@ -222,6 +225,7 @@ in
           executable = true;
           text = ''
             #! ${pkgs.nftables}/bin/nft -f
+            ${optionalString cfg.flushRuleset "flush ruleset"}
             ${concatStringsSep "\n" (mapAttrsToList (_: table: ''
               table ${table.family} ${table.name}
               delete table ${table.family} ${table.name}
author	Maciej Krüger <mkg20001@gmail.com>	2022-12-26 00:35:15 +0100
committer	Maciej Krüger <mkg20001@gmail.com>	2023-08-28 00:35:39 +0200
commit	cd3af25932425e1b1acfaad9c9ee85694fe70ae6 (patch)
tree	514474a621cf6d35748da518c3179b5f6165aa23
parent	311d2fa994565ab412681b9ab8cbb12054ab265a (diff)