pyrox.dev
+7
nixos/doc/manual/from_md/release-notes/rl-2305.section.xml
+7
nixos/doc/manual/from_md/release-notes/rl-2305.section.xml
···
+2
nixos/doc/manual/release-notes/rl-2305.section.md
+2
nixos/doc/manual/release-notes/rl-2305.section.md
···- Resilio sync secret keys can now be provided using a secrets file at runtime, preventing these secrets from ending up in the Nix store.+- The `firewall` and `nat` module now has a nftables based implementation. Enable `networking.nftables` to use it.- The `services.fwupd` module now allows arbitrary daemon settings to be configured in a structured manner ([`services.fwupd.daemonSettings`](#opt-services.fwupd.daemonSettings)).
+4
nixos/modules/module-list.nix
+4
nixos/modules/module-list.nix
······
+6
-1
nixos/modules/services/audio/roon-bridge.nix
+6
-1
nixos/modules/services/audio/roon-bridge.nix
···
+6
-1
nixos/modules/services/audio/roon-server.nix
+6
-1
nixos/modules/services/audio/roon-server.nix
···
+334
nixos/modules/services/networking/firewall-iptables.nix
+334
nixos/modules/services/networking/firewall-iptables.nix
···+kernelHasRPFilter = ((kernel.config.isEnabled or (x: false)) "IP_NF_MATCH_RPFILTER") || (kernel.features.netfilterRPFilter or false);+ip46tables -A nixos-fw-log-refuse -p tcp --syn -j LOG --log-level info --log-prefix "refused connection: "+ip46tables -t mangle -A nixos-fw-rpfilter -m rpfilter --validmark ${optionalString (cfg.checkReversePath == "loose") "--loose"} -j RETURN+iptables -t mangle -A nixos-fw-rpfilter -s 0.0.0.0 -d 255.255.255.255 -p udp --sport 68 --dport 67 -j RETURN+ip46tables -t mangle -A nixos-fw-rpfilter -j LOG --log-level info --log-prefix "rpfilter drop: "+ip46tables -A nixos-fw -p tcp --dport ${toString port} -j nixos-fw-accept ${optionalString (iface != "default") "-i ${iface}"}+ip46tables -A nixos-fw -p tcp --dport ${range} -j nixos-fw-accept ${optionalString (iface != "default") "-i ${iface}"}+ip46tables -A nixos-fw -p udp --dport ${toString port} -j nixos-fw-accept ${optionalString (iface != "default") "-i ${iface}"}+ip46tables -A nixos-fw -p udp --dport ${range} -j nixos-fw-accept ${optionalString (iface != "default") "-i ${iface}"}+iptables -w -A nixos-fw -p icmp --icmp-type echo-request ${optionalString (cfg.pingLimit != null)
+167
nixos/modules/services/networking/firewall-nftables.nix
+167
nixos/modules/services/networking/firewall-nftables.nix
···+message = "extraCommands is incompatible with the nftables based firewall: ${cfg.extraCommands}";+message = "extraStopCommands is incompatible with the nftables based firewall: ${cfg.extraStopCommands}";+meta nfproto ipv4 udp sport . udp dport { 67 . 68, 68 . 67 } accept comment "DHCPv4 client/server"+${optionalString (ifaceSet != "") ''iifname { ${ifaceSet} } accept comment "trusted interfaces"''}+ct state vmap { invalid : drop, established : accept, related : accept, * : jump input-allow } comment "*: new and untracked"+icmp type echo-request ${optionalString (cfg.pingLimit != null) "limit rate ${cfg.pingLimit}"} accept comment "allow ping"+icmpv6 type != { nd-redirect, 139 } accept comment "Accept all ICMPv6 messages except redirects and node information queries (type 139). See RFC 4890, section 4.4."+ct state vmap { invalid : drop, established : accept, related : accept, * : jump forward-allow } comment "*: new and untracked"+icmpv6 type != { router-renumbering, 139 } accept comment "Accept all ICMPv6 messages except renumbering and node information queries (type 139). See RFC 4890, section 4.3."
+141
-439
nixos/modules/services/networking/firewall.nix
+141
-439
nixos/modules/services/networking/firewall.nix
······-kernelHasRPFilter = ((kernel.config.isEnabled or (x: false)) "IP_NF_MATCH_RPFILTER") || (kernel.features.netfilterRPFilter or false);-ip46tables -A nixos-fw-log-refuse -p tcp --syn -j LOG --log-level info --log-prefix "refused connection: "-ip46tables -t mangle -A nixos-fw-rpfilter -m rpfilter --validmark ${optionalString (cfg.checkReversePath == "loose") "--loose"} -j RETURN-iptables -t mangle -A nixos-fw-rpfilter -s 0.0.0.0 -d 255.255.255.255 -p udp --sport 68 --dport 67 -j RETURN-ip46tables -t mangle -A nixos-fw-rpfilter -j LOG --log-level info --log-prefix "rpfilter drop: "-ip46tables -A nixos-fw -p tcp --dport ${toString port} -j nixos-fw-accept ${optionalString (iface != "default") "-i ${iface}"}-ip46tables -A nixos-fw -p tcp --dport ${range} -j nixos-fw-accept ${optionalString (iface != "default") "-i ${iface}"}-ip46tables -A nixos-fw -p udp --dport ${toString port} -j nixos-fw-accept ${optionalString (iface != "default") "-i ${iface}"}-ip46tables -A nixos-fw -p udp --dport ${range} -j nixos-fw-accept ${optionalString (iface != "default") "-i ${iface}"}-iptables -w -A nixos-fw -p icmp --icmp-type echo-request ${optionalString (cfg.pingLimit != null)·········+defaultText = literalExpression ''if config.networking.nftables.enable then "pkgs.nftables" else "pkgs.iptables"'';+defaultText = literalMD "`true` except if the iptables based firewall is in use and the kernel lacks rpfilter support";···
+191
nixos/modules/services/networking/nat-iptables.nix
+191
nixos/modules/services/networking/nat-iptables.nix
···+-s '${range}' ${optionalString (cfg.externalInterface != null) "-o ${cfg.externalInterface}"} ${dest}+destinationPorts = if m == null then throw "bad ip:ports `${fwd.destination}'" else builtins.replaceStrings ["-"] [":"] (elemAt m 1);
+184
nixos/modules/services/networking/nat-nftables.nix
+184
nixos/modules/services/networking/nat-nftables.nix
···+oifExpr = optionalString (cfg.externalInterface != null) ''oifname "${cfg.externalInterface}"'';+iifname "${cfg.externalInterface}" dnat meta l4proto . th dport map { ${fwdMap} } comment "port forward"+iifname "${cfg.externalInterface}" dnat meta l4proto . th dport map { ${fwdRangeMap} } comment "port forward"+dnat ${ipVer} daddr . meta l4proto . th dport map { ${fwdLoopDnatMap} } comment "port forward loopback from other hosts behind NAT"+dnat ${ipVer} daddr . meta l4proto . th dport map { ${fwdLoopDnatRangeMap} } comment "port forward loopback from other hosts behind NAT"+iifname != "${cfg.externalInterface}" ${ipVer} daddr . meta l4proto . th dport { ${fwdLoopSnatSet} } masquerade comment "port forward loopback snat"+dnat ${ipVer} daddr . meta l4proto . th dport map { ${fwdLoopDnatMap} } comment "port forward loopback from the host itself"+dnat ${ipVer} daddr . meta l4proto . th dport map { ${fwdLoopDnatRangeMap} } comment "port forward loopback from the host itself"+message = "extraCommands is incompatible with the nftables based nat module: ${cfg.extraCommands}";+message = "extraStopCommands is incompatible with the nftables based nat module: ${cfg.extraStopCommands}";+networking.firewall.extraForwardRules = optionalString config.networking.firewall.filterForward ''
+85
-256
nixos/modules/services/networking/nat.nix
+85
-256
nixos/modules/services/networking/nat.nix
···--s '${range}' ${optionalString (cfg.externalInterface != null) "-o ${cfg.externalInterface}"} ${dest}-destinationPorts = if m == null then throw "bad ip:ports `${fwd.destination}'" else builtins.replaceStrings ["-"] [":"] (elemAt m 1);···description = lib.mdDoc "Public IPs for NAT reflection; for connections to `loopbackip:sourcePort' from the host itself and from other hosts behind NAT";-# See <http://strugglers.net/~andy/blog/2011/09/04/linux-ipv6-router-advertisements-and-forwarding/>.+# See <http://strugglers.net/~andy/blog/2011/09/04/linux-ipv6-router-advertisements-and-forwarding/>.
+10
-16
nixos/modules/services/networking/nftables.nix
+10
-16
nixos/modules/services/networking/nftables.nix
·········-message = "You can not use nftables and iptables at the same time. networking.firewall.enable must be set to false.";···
+5
-1
nixos/tests/all-tests.nix
+5
-1
nixos/tests/all-tests.nix
···firefox-esr = handleTest ./firefox.nix { firefoxPackage = pkgs.firefox-esr; }; # used in `tested` job···nat.firewall-conntrack = handleTest ./nat.nix { withFirewall = true; withConntrackHelpers = true; };+nat.nftables.firewall-conntrack = handleTest ./nat.nix { withFirewall = true; withConntrackHelpers = true; nftables = true; };
+8
-5
nixos/tests/firewall.nix
+8
-5
nixos/tests/firewall.nix
···············
+8
-4
nixos/tests/nat.nix
+8
-4
nixos/tests/nat.nix
···+import ./make-test-python.nix ({ pkgs, lib, withFirewall, withConntrackHelpers ? false, nftables ? false, ... }:·········