nixos/modules/services/networking/nftables.nix at 23.05-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / networking / nftables.nix
at 23.05-pre 4.7 kB view raw
  1{ config, pkgs, lib, ... }:
  2with lib;
  3let
  4  cfg = config.networking.nftables;
  5in
  6{
  7  ###### interface
  8
  9  options = {
 10    networking.nftables.enable = mkOption {
 11      type = types.bool;
 12      default = false;
 13      description =
 14        lib.mdDoc ''
 15          Whether to enable nftables.  nftables is a Linux-based packet
 16          filtering framework intended to replace frameworks like iptables.
 17
 18          This conflicts with the standard networking firewall, so make sure to
 19          disable it before using nftables.
 20
 21          Note that if you have Docker enabled you will not be able to use
 22          nftables without intervention. Docker uses iptables internally to
 23          setup NAT for containers. This module disables the ip_tables kernel
 24          module, however Docker automatically loads the module. Please see
 25          <https://github.com/NixOS/nixpkgs/issues/24318#issuecomment-289216273>
 26          for more information.
 27
 28          There are other programs that use iptables internally too, such as
 29          libvirt. For information on how the two firewalls interact, see
 30          <https://wiki.nftables.org/wiki-nftables/index.php/Troubleshooting#Question_4._How_do_nftables_and_iptables_interact_when_used_on_the_same_system.3F>.
 31        '';
 32    };
 33    networking.nftables.ruleset = mkOption {
 34      type = types.lines;
 35      default = "";
 36      example = ''
 37        # Check out https://wiki.nftables.org/ for better documentation.
 38        # Table for both IPv4 and IPv6.
 39        table inet filter {
 40          # Block all incomming connections traffic except SSH and "ping".
 41          chain input {
 42            type filter hook input priority 0;
 43
 44            # accept any localhost traffic
 45            iifname lo accept
 46
 47            # accept traffic originated from us
 48            ct state {established, related} accept
 49
 50            # ICMP
 51            # routers may also want: mld-listener-query, nd-router-solicit
 52            ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept
 53            ip protocol icmp icmp type { destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept
 54
 55            # allow "ping"
 56            ip6 nexthdr icmpv6 icmpv6 type echo-request accept
 57            ip protocol icmp icmp type echo-request accept
 58
 59            # accept SSH connections (required for a server)
 60            tcp dport 22 accept
 61
 62            # count and drop any other traffic
 63            counter drop
 64          }
 65
 66          # Allow all outgoing connections.
 67          chain output {
 68            type filter hook output priority 0;
 69            accept
 70          }
 71
 72          chain forward {
 73            type filter hook forward priority 0;
 74            accept
 75          }
 76        }
 77      '';
 78      description =
 79        lib.mdDoc ''
 80          The ruleset to be used with nftables.  Should be in a format that
 81          can be loaded using "/bin/nft -f".  The ruleset is updated atomically.
 82        '';
 83    };
 84    networking.nftables.rulesetFile = mkOption {
 85      type = types.path;
 86      default = pkgs.writeTextFile {
 87        name = "nftables-rules";
 88        text = cfg.ruleset;
 89      };
 90      defaultText = literalMD ''a file with the contents of {option}`networking.nftables.ruleset`'';
 91      description =
 92        lib.mdDoc ''
 93          The ruleset file to be used with nftables.  Should be in a format that
 94          can be loaded using "nft -f".  The ruleset is updated atomically.
 95        '';
 96    };
 97  };
 98
 99  ###### implementation
100
101  config = mkIf cfg.enable {
102    assertions = [{
103      assertion = config.networking.firewall.enable == false;
104      message = "You can not use nftables and iptables at the same time. networking.firewall.enable must be set to false.";
105    }];
106    boot.blacklistedKernelModules = [ "ip_tables" ];
107    environment.systemPackages = [ pkgs.nftables ];
108    networking.networkmanager.firewallBackend = mkDefault "nftables";
109    systemd.services.nftables = {
110      description = "nftables firewall";
111      before = [ "network-pre.target" ];
112      wants = [ "network-pre.target" ];
113      wantedBy = [ "multi-user.target" ];
114      reloadIfChanged = true;
115      serviceConfig = let
116        rulesScript = pkgs.writeScript "nftables-rules" ''
117          #! ${pkgs.nftables}/bin/nft -f
118          flush ruleset
119          include "${cfg.rulesetFile}"
120        '';
121      in {
122        Type = "oneshot";
123        RemainAfterExit = true;
124        ExecStart = rulesScript;
125        ExecReload = rulesScript;
126        ExecStop = "${pkgs.nftables}/bin/nft flush ruleset";
127      };
128    };
129  };
130}