-
-
Notifications
You must be signed in to change notification settings - Fork 13.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nftables module: absorb into firewall module, rename ruleset options #161428
Comments
What's the status with this atm? As users do we continue to use |
I didn't put any time into this so far. 21.11 moved to using the nftables kernel infrastructure under the hood, by switching to use This means, the |
Are there any bigger breakages or would it be possible to move to networking.nftables.enable = true; by default on 24.05 ? What could be done is to just default make nftables default from 24.05 and keep the iptables options arround as compatibility for as long as necesarry. |
The parts needing work here are more the ruleset related parts also mentioned in the issue description. |
Can we enable nftables firewall backend by default with NixOS 22.04? 🥲 |
nftables backend already enabled in #81172 |
the default for |
Yep, they are the same thing on the kernel side, the difference between these modules is a frontend used to talk to the kernel. |
Problem statement
Right now, we have
networking.nftables
andnetworking.firewall
.However, at least since #81172 (which got shipped in 21.11) we kinda default to using nftables, and all
ip[6]tables
/arptables
/ebtables
invocations essentially only modifynf_tables
rules under the hood.This means, most of the things we do in the
nftables
NixOS module should also be done by default, not just if we setnetworking.nftables.enable
to true:nft
binary in$PATH
to be able to see and modify these rules (at least in the cases where we haveiptables
& Co. in$PATH
).nftables
backend also makes sense. systemd-networkd already does the same.--
There's an assertion preventing us to enable both the NixOS firewall and the nftables module, as the nftables module also creates a systemd unit that tries to (exclusively) configure all
nf_tables
tables (which is dooned to fail, as there's other things inserting into it, such as systemd-networkd, and libvirt (throughiptables-nft
)Proposed Fix(es)
networking.nftables.ruleset
andnetworking.nftables.rulesetFile
somewhere belownetworking.firewall
, with a big fat disclaimer (lib.warn
?) stating this doesn't compose with the rest of the NixOS firewall, or other things interacting with the firewall, as it exclusively replaces everything whenever restarted.cc @fpletz @misuzu @andir
The text was updated successfully, but these errors were encountered: