pyrox.dev / nixpkgs
lol
fork atom

nixos/firewall: assert that the kernel supports conntrack helper auto-loading

K900 18f85de7 2eeefe41

options
unified split
Changed files
+6
nixos
doc
manual
release-notes
rl-2305.section.md
modules
services
networking
firewall.nix
+2
nixos/doc/manual/release-notes/rl-2305.section.md 
···

       
142

       
142

       
 

       



     

       
143

       
143

       
 

       
- [services.xserver.videoDrivers](options.html#opt-services.xserver.videoDrivers) now defaults to the `modesetting` driver over device-specific ones. The `radeon`, `amdgpu` and `nouveau` drivers are still available, but effectively unmaintained and not recommended for use.


     

       
144

       
144

       
 

       



     

       

       
145

       
+

       
- conntrack helper autodetection has been removed from kernels 6.0 and up upstream, and an assertion was added to ensure things don't silently stop working. Migrate your configuration to assign helpers explicitly or use an older LTS kernel branch as a temporary workaround.


     

       

       
146

       
+

       



     

       
145

       
147

       
 

       
## Other Notable Changes {#sec-release-23.05-notable-changes}


     

       
146

       
148

       
 

       



     

       
147

       
149

       
 

       
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
+4
nixos/modules/services/networking/firewall.nix 
···

       
269

       
269

       
 

       
        assertion = cfg.filterForward -> config.networking.nftables.enable;


     

       
270

       
270

       
 

       
        message = "filterForward only works with the nftables based firewall";


     

       
271

       
271

       
 

       
      }


     

       

       
272

       
+

       
      {


     

       

       
273

       
+

       
        assertion = cfg.autoLoadConntrackHelpers -> lib.versionOlder config.boot.kernelPackages.kernel.version "6";


     

       

       
274

       
+

       
        message = "conntrack helper autoloading has been removed from kernel 6.0 and newer";


     

       

       
275

       
+

       
      }


     

       
272

       
276

       
 

       
    ];


     

       
273

       
277

       
 

       



     

       
274

       
278

       
 

       
    networking.firewall.trustedInterfaces = [ "lo" ];