pyrox.dev
lol
nixos/firewall: assert that the kernel supports conntrack helper auto-loading
+6
+2
nixos/doc/manual/release-notes/rl-2305.section.md
+2
nixos/doc/manual/release-notes/rl-2305.section.md
···
142
142
143
143
- [services.xserver.videoDrivers](options.html#opt-services.xserver.videoDrivers) now defaults to the `modesetting` driver over device-specific ones. The `radeon`, `amdgpu` and `nouveau` drivers are still available, but effectively unmaintained and not recommended for use.
144
144
145
+
- conntrack helper autodetection has been removed from kernels 6.0 and up upstream, and an assertion was added to ensure things don't silently stop working. Migrate your configuration to assign helpers explicitly or use an older LTS kernel branch as a temporary workaround.
146
+
145
147
## Other Notable Changes {#sec-release-23.05-notable-changes}
146
148
147
149
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
+4
nixos/modules/services/networking/firewall.nix
+4
nixos/modules/services/networking/firewall.nix
···
269
269
assertion = cfg.filterForward -> config.networking.nftables.enable;
270
270
message = "filterForward only works with the nftables based firewall";
271
271
}
272
+
{
273
+
assertion = cfg.autoLoadConntrackHelpers -> lib.versionOlder config.boot.kernelPackages.kernel.version "6";
274
+
message = "conntrack helper autoloading has been removed from kernel 6.0 and newer";
275
+
}
272
276
];
273
277
274
278
networking.firewall.trustedInterfaces = [ "lo" ];