diff options
author | Maciej Krüger <mkg20001@gmail.com> | 2022-12-26 00:35:15 +0100 |
---|---|---|
committer | Maciej Krüger <mkg20001@gmail.com> | 2023-08-28 00:35:39 +0200 |
commit | cd3af25932425e1b1acfaad9c9ee85694fe70ae6 (patch) | |
tree | 514474a621cf6d35748da518c3179b5f6165aa23 | |
parent | 311d2fa994565ab412681b9ab8cbb12054ab265a (diff) |
networking/nftables: enable flushing ruleset for older versions
Co-authored-by: Naïm Favier <n@monade.li>
-rw-r--r-- | nixos/modules/services/networking/nftables.nix | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/nixos/modules/services/networking/nftables.nix b/nixos/modules/services/networking/nftables.nix index 4bc115cd580c6..810dc22a20a8e 100644 --- a/nixos/modules/services/networking/nftables.nix +++ b/nixos/modules/services/networking/nftables.nix @@ -83,6 +83,8 @@ in ''; }; + networking.nftables.flushRuleset = mkEnableOption (lib.mdDoc "Flush the entire ruleset on each reload."); + networking.nftables.ruleset = mkOption { type = types.lines; default = ""; @@ -209,6 +211,7 @@ in boot.blacklistedKernelModules = [ "ip_tables" ]; environment.systemPackages = [ pkgs.nftables ]; networking.networkmanager.firewallBackend = mkDefault "nftables"; + networking.nftables.flushRuleset = mkDefault (versionOlder config.system.stateVersion "23.11"); systemd.services.nftables = { description = "nftables firewall"; before = [ "network-pre.target" ]; @@ -222,6 +225,7 @@ in executable = true; text = '' #! ${pkgs.nftables}/bin/nft -f + ${optionalString cfg.flushRuleset "flush ruleset"} ${concatStringsSep "\n" (mapAttrsToList (_: table: '' table ${table.family} ${table.name} delete table ${table.family} ${table.name} |