diff options
author | Rvfg <i@rvf6.com> | 2022-12-23 00:23:23 +0800 |
---|---|---|
committer | Rvfg <i@rvf6.com> | 2022-12-23 00:49:24 +0800 |
commit | a43c7b2a70da8e7ed82749daf4c13543876b44cf (patch) | |
tree | 240be2cb7082324242a24079b6467d00837abf8b /nixos/modules/services/networking/nftables.nix | |
parent | 2379de680d8c7d652cfc9a94b7e42691846c70a4 (diff) |
nixos/{firewall, nat}: add a nftables based implementation
Diffstat (limited to 'nixos/modules/services/networking/nftables.nix')
-rw-r--r-- | nixos/modules/services/networking/nftables.nix | 26 |
1 files changed, 10 insertions, 16 deletions
diff --git a/nixos/modules/services/networking/nftables.nix b/nixos/modules/services/networking/nftables.nix index 8166a8e7110bd..bd13e8c9929a3 100644 --- a/nixos/modules/services/networking/nftables.nix +++ b/nixos/modules/services/networking/nftables.nix @@ -12,11 +12,9 @@ in default = false; description = lib.mdDoc '' - Whether to enable nftables. nftables is a Linux-based packet - filtering framework intended to replace frameworks like iptables. - - This conflicts with the standard networking firewall, so make sure to - disable it before using nftables. + Whether to enable nftables and use nftables based firewall if enabled. + nftables is a Linux-based packet filtering framework intended to + replace frameworks like iptables. Note that if you have Docker enabled you will not be able to use nftables without intervention. Docker uses iptables internally to @@ -79,19 +77,17 @@ in lib.mdDoc '' The ruleset to be used with nftables. Should be in a format that can be loaded using "/bin/nft -f". The ruleset is updated atomically. + This option conflicts with rulesetFile. ''; }; networking.nftables.rulesetFile = mkOption { - type = types.path; - default = pkgs.writeTextFile { - name = "nftables-rules"; - text = cfg.ruleset; - }; - defaultText = literalMD ''a file with the contents of {option}`networking.nftables.ruleset`''; + type = types.nullOr types.path; + default = null; description = lib.mdDoc '' The ruleset file to be used with nftables. Should be in a format that can be loaded using "nft -f". The ruleset is updated atomically. + This option conflicts with ruleset and nftables based firewall. ''; }; }; @@ -99,10 +95,6 @@ in ###### implementation config = mkIf cfg.enable { - assertions = [{ - assertion = config.networking.firewall.enable == false; - message = "You can not use nftables and iptables at the same time. networking.firewall.enable must be set to false."; - }]; boot.blacklistedKernelModules = [ "ip_tables" ]; environment.systemPackages = [ pkgs.nftables ]; networking.networkmanager.firewallBackend = mkDefault "nftables"; @@ -116,7 +108,9 @@ in rulesScript = pkgs.writeScript "nftables-rules" '' #! ${pkgs.nftables}/bin/nft -f flush ruleset - include "${cfg.rulesetFile}" + ${if cfg.rulesetFile != null then '' + include "${cfg.rulesetFile}" + '' else cfg.ruleset} ''; in { Type = "oneshot"; |