nixos/networkmanager: default firewallBackend to nftables, remove firewallBackend

[SuperSandro2000]

Description of changes

see #161428

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 23.11 Release Notes (or backporting 23.05 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

[mkg20001]

@flokli What's left (besides CI green) for this to be ready?

[flokli]

Didn't we switch the iptables binary to iptables-nftables-compat in #81172, so even with config.networking.nftables.enable set to false (the default still?) all iptables rules are in fact also nft rules?

NetworkManager also seems to have an autodetection mode, which will use nft as soon as an nft binary is available, and only fall back in case only iptables binary is present. I assume most distros these days have an nft in $PATH.

I'd probably change this config option to default to being /unset/, and make sure nftables is in the NetworkManager $PATH, so it normally uses nft. This matches closer the behaviour on other distros, and follows the principle of least surprise.

People who then explicitly want to still use the iptables binary (to see the NetworkManager-configured rules in an iptables-nftables-compat/iptables-legacy invocation) could set the option, but leaving the option unset in NixOS, and having NetworkManager use its default logic seems like the right path forward to me.

[mkg20001]

automatic detection simply checks if the nft executable exists and then uses nft right away, which i assume will always be the case in nixos since we patch the path in

meaning the effective default is nftables.

will it be more or less confusing if we set this explicitly?
can legacy iptables even still be enabled? otherwise we might want to get rid of the firewallBackend

static NMFirewallBackend
_firewall_backend_detect(void)
{
    if (g_file_test(NFT_PATH, G_FILE_TEST_IS_EXECUTABLE))
        return NM_FIREWALL_BACKEND_NFTABLES;
    if (g_file_test(IPTABLES_PATH, G_FILE_TEST_IS_EXECUTABLE))
        return NM_FIREWALL_BACKEND_IPTABLES;

    return NM_FIREWALL_BACKEND_NFTABLES;
}
```

[flokli]

I think people can still opt out of nftables by overwriting the iptables binary to the legacy one. At least the example in networking.firewall.package mentions it as an example. This is probably not tested at all, and not sure if it's worthwhile putting in that work still.

I'd probably just remove the networking.networkmanager.firewallBackendoption entirely, and keep the autodetection code in NetworkManager itself.

[mkg20001]

I'd probably just remove the networking.networkmanager.firewallBackendoption entirely, and keep the autodetection code in NetworkManager itself.

So it should only use nftables then (see other comment)? I'll edit that then

[flokli]

SGTM!

old

[jian-lin]

some nitpicking