diff options
Diffstat (limited to 'nixos/modules/services/networking/nftables.nix')
-rw-r--r-- | nixos/modules/services/networking/nftables.nix | 26 |
1 files changed, 10 insertions, 16 deletions
diff --git a/nixos/modules/services/networking/nftables.nix b/nixos/modules/services/networking/nftables.nix index 8166a8e7110bd..bd13e8c9929a3 100644 --- a/nixos/modules/services/networking/nftables.nix +++ b/nixos/modules/services/networking/nftables.nix @@ -12,11 +12,9 @@ in default = false; description = lib.mdDoc '' - Whether to enable nftables. nftables is a Linux-based packet - filtering framework intended to replace frameworks like iptables. - - This conflicts with the standard networking firewall, so make sure to - disable it before using nftables. + Whether to enable nftables and use nftables based firewall if enabled. + nftables is a Linux-based packet filtering framework intended to + replace frameworks like iptables. Note that if you have Docker enabled you will not be able to use nftables without intervention. Docker uses iptables internally to @@ -79,19 +77,17 @@ in lib.mdDoc '' The ruleset to be used with nftables. Should be in a format that can be loaded using "/bin/nft -f". The ruleset is updated atomically. + This option conflicts with rulesetFile. ''; }; networking.nftables.rulesetFile = mkOption { - type = types.path; - default = pkgs.writeTextFile { - name = "nftables-rules"; - text = cfg.ruleset; - }; - defaultText = literalMD ''a file with the contents of {option}`networking.nftables.ruleset`''; + type = types.nullOr types.path; + default = null; description = lib.mdDoc '' The ruleset file to be used with nftables. Should be in a format that can be loaded using "nft -f". The ruleset is updated atomically. + This option conflicts with ruleset and nftables based firewall. ''; }; }; @@ -99,10 +95,6 @@ in ###### implementation config = mkIf cfg.enable { - assertions = [{ - assertion = config.networking.firewall.enable == false; - message = "You can not use nftables and iptables at the same time. networking.firewall.enable must be set to false."; - }]; boot.blacklistedKernelModules = [ "ip_tables" ]; environment.systemPackages = [ pkgs.nftables ]; networking.networkmanager.firewallBackend = mkDefault "nftables"; @@ -116,7 +108,9 @@ in rulesScript = pkgs.writeScript "nftables-rules" '' #! ${pkgs.nftables}/bin/nft -f flush ruleset - include "${cfg.rulesetFile}" + ${if cfg.rulesetFile != null then '' + include "${cfg.rulesetFile}" + '' else cfg.ruleset} ''; in { Type = "oneshot"; |