*: migrate to using nftables.tables instead of ruleset directly

pyrox.dev / nixpkgs

fork atom

lol

fork atom

Maciej Krüger 2 years ago 311d2fa9 048ef0d4

+22 -28

3 changed files

expand all

nixos

modules

services

networking

firewall-nftables.nix

nat-nftables.nix

tests

lxd

nftables.nix

+2 -7

nixos/modules/services/networking/firewall-nftables.nix

··· 70 70 } 71 71 ]; 72 72 73 - networking.nftables.ruleset = '' 74 - 75 - table inet nixos-fw { 76 - 73 + networking.nftables.tables."nixos-fw".family = "inet"; 74 + networking.nftables.tables."nixos-fw".content = '' 77 75 ${optionalString (cfg.checkReversePath != false) '' 78 76 chain rpfilter { 79 77 type filter hook prerouting priority mangle + 10; policy drop; ··· 169 167 170 168 } 171 169 ''} 172 - 173 - } 174 - 175 170 ''; 176 171 177 172 };

+18 -18

nixos/modules/services/networking/nat-nftables.nix

··· 145 145 } 146 146 ]; 147 147 148 - networking.nftables.ruleset = '' 149 - table ip nixos-nat { 150 - ${mkTable { 148 + networking.nftables.tables = { 149 + "nixos-nat" = { 150 + family = "ip"; 151 + content = mkTable { 151 152 ipVer = "ip"; 152 153 inherit dest ipSet; 153 154 forwardPorts = filter (x: !(isIPv6 x.destination)) cfg.forwardPorts; 154 155 inherit (cfg) dmzHost; 155 - }} 156 - } 157 - 158 - ${optionalString cfg.enableIPv6 '' 159 - table ip6 nixos-nat { 160 - ${mkTable { 161 - ipVer = "ip6"; 162 - dest = destIPv6; 163 - ipSet = ipv6Set; 164 - forwardPorts = filter (x: isIPv6 x.destination) cfg.forwardPorts; 165 - dmzHost = null; 166 - }} 167 - } 168 - ''} 169 - ''; 156 + }; 157 + }; 158 + "nixos-nat6" = mkIf cfg.enableIPv6 { 159 + family = "ip6"; 160 + name = "nixos-nat"; 161 + content = mkTable { 162 + ipVer = "ip6"; 163 + dest = destIPv6; 164 + ipSet = ipv6Set; 165 + forwardPorts = filter (x: isIPv6 x.destination) cfg.forwardPorts; 166 + dmzHost = null; 167 + }; 168 + }; 169 + }; 170 170 171 171 networking.firewall.extraForwardRules = optionalString config.networking.firewall.filterForward '' 172 172 ${optionalString (ifaceSet != "") ''

+2 -3

nixos/tests/lxd/nftables.nix

··· 20 20 networking = { 21 21 firewall.enable = false; 22 22 nftables.enable = true; 23 - nftables.ruleset = '' 24 - table inet filter { 23 + nftables.tables."filter".family = "inet"; 24 + nftables.tables."filter".content = '' 25 25 chain incoming { 26 26 type filter hook input priority 0; 27 27 policy accept; ··· 36 36 type filter hook output priority 0; 37 37 policy accept; 38 38 } 39 - } 40 39 ''; 41 40 }; 42 41 };