gador/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nixos-firewall-tool: add nftables support

Browse Source 
Co-authored-by: Rvfg <i@rvf6.com>
This commit is contained in:
Gary Guo
2024-07-04 17:30:48 +01:00
committed by Sandro Jäckel
parent 4059698520
commit cabbab19e2
6 changed files with 52 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
nixos/doc/manual/release-notes/rl-2411.section.md
View File

@@ -720,6 +720,8 @@
This saves UPS battery and ensures that host(s) get back up again when power comes back, even in the scenario when the UPS would have had enough capacity to keep power on during the whole power outage. This saves UPS battery and ensures that host(s) get back up again when power comes back, even in the scenario when the UPS would have had enough capacity to keep power on during the whole power outage.
If you like the old behaviour of keeping the UPSs on (and emptying the battery) after the host(s) have shut down, and risk not getting a power cycle event to get the host(s) back up, set `power.ups.upsmon.settings.POWERDOWNFLAG = null;`. If you like the old behaviour of keeping the UPSs on (and emptying the battery) after the host(s) have shut down, and risk not getting a power cycle event to get the host(s) back up, set `power.ups.upsmon.settings.POWERDOWNFLAG = null;`.
- `nixos-firewall-tool` now supports nftables in addition to iptables and is installed by default when NixOS firewall is enabled.
- Support for *runner registration tokens* has been [deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/380872) - Support for *runner registration tokens* has been [deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/380872)
in `gitlab-runner` 15.6 and is expected to be removed in `gitlab-runner` 18.0. Configuration of existing runners in `gitlab-runner` 15.6 and is expected to be removed in `gitlab-runner` 18.0. Configuration of existing runners
should be changed to using *runner authentication tokens* by configuring should be changed to using *runner authentication tokens* by configuring

1
nixos/modules/services/networking/firewall-iptables.nix
View File

@@ -297,7 +297,6 @@ in
} }
]; ];
environment.systemPackages = [ pkgs.nixos-firewall-tool ];
networking.firewall.checkReversePath = lib.mkIf (!kernelHasRPFilter) (lib.mkDefault false); networking.firewall.checkReversePath = lib.mkIf (!kernelHasRPFilter) (lib.mkDefault false);
systemd.services.firewall = { systemd.services.firewall = {

9
nixos/modules/services/networking/firewall-nftables.nix
View File

@@ -81,6 +81,13 @@ in
networking.nftables.tables."nixos-fw".family = "inet"; networking.nftables.tables."nixos-fw".family = "inet";
networking.nftables.tables."nixos-fw".content = '' networking.nftables.tables."nixos-fw".content = ''
set temp-ports {
comment "Temporarily opened ports"
type inet_proto . inet_service
flags interval
auto-merge
}
${lib.optionalString (cfg.checkReversePath != false) '' ${lib.optionalString (cfg.checkReversePath != false) ''
chain rpfilter { chain rpfilter {
type filter hook prerouting priority mangle + 10; policy drop; type filter hook prerouting priority mangle + 10; policy drop;
@@ -147,6 +154,8 @@ in
'' ''
) cfg.allInterfaces)} ) cfg.allInterfaces)}
meta l4proto . th dport @temp-ports accept
${lib.optionalString cfg.allowPing '' ${lib.optionalString cfg.allowPing ''
icmp type echo-request ${lib.optionalString (cfg.pingLimit != null) "limit rate ${cfg.pingLimit}"} accept comment "allow ping" icmp type echo-request ${lib.optionalString (cfg.pingLimit != null) "limit rate ${cfg.pingLimit}"} accept comment "allow ping"
''} ''}

5
nixos/modules/services/networking/firewall.nix
View File

@@ -274,7 +274,10 @@ in
networking.firewall.trustedInterfaces = [ "lo" ]; networking.firewall.trustedInterfaces = [ "lo" ];
environment.systemPackages = [ cfg.package ] ++ cfg.extraPackages; environment.systemPackages = [
cfg.package
pkgs.nixos-firewall-tool
] ++ cfg.extraPackages;
boot.kernelModules = (lib.optional cfg.autoLoadConntrackHelpers "nf_conntrack") boot.kernelModules = (lib.optional cfg.autoLoadConntrackHelpers "nf_conntrack")
++ map (x: "nf_conntrack_${x}") cfg.connectionTrackingModules; ++ map (x: "nf_conntrack_${x}") cfg.connectionTrackingModules;

38
pkgs/by-name/ni/nixos-firewall-tool/nixos-firewall-tool.sh
View File

@@ -2,10 +2,19 @@
set -euo pipefail set -euo pipefail
# Detect if iptables or nftables-based firewall is used.
if [[ -e /etc/systemd/system/firewall.service ]]; then
BACKEND=iptables
elif [[ -e /etc/systemd/system/nftables.service ]]; then
BACKEND=nftables
else
echo "nixos-firewall-tool: cannot detect firewall backend" >&2
exit 1
fi
ip46tables() { ip46tables() {
iptables -w "$@" iptables -w "$@"
ip6tables -w "$@" ip6tables -w "$@"
} }
show_help() { show_help() {
@@ -36,13 +45,34 @@ case $1 in
protocol="$2" protocol="$2"
port="$3" port="$3"
ip46tables -I nixos-fw -p "$protocol" --dport "$port" -j nixos-fw-accept case $BACKEND in
iptables)
ip46tables -I nixos-fw -p "$protocol" --dport "$port" -j nixos-fw-accept
;;
nftables)
nft add element inet nixos-fw "temp-ports" "{ $protocol . $port }"
;;
esac
;; ;;
"show") "show")
ip46tables --numeric --list nixos-fw case $BACKEND in
iptables)
ip46tables --numeric --list nixos-fw
;;
nftables)
nft list table inet nixos-fw
;;
esac
;; ;;
"reset") "reset")
systemctl restart firewall.service case $BACKEND in
iptables)
systemctl restart firewall.service
;;
nftables)
nft flush set inet nixos-fw "temp-ports"
;;
esac
;; ;;
-h|--help|help) -h|--help|help)
show_help show_help

8
pkgs/by-name/ni/nixos-firewall-tool/package.nix
View File

@@ -1,15 +1,13 @@
{ writeShellApplication, iptables, lib }: { writeShellApplication, lib }:
writeShellApplication { writeShellApplication {
name = "nixos-firewall-tool"; name = "nixos-firewall-tool";
text = builtins.readFile ./nixos-firewall-tool.sh; text = builtins.readFile ./nixos-firewall-tool.sh;
runtimeInputs = [
iptables
];
meta = with lib; { meta = with lib; {
description = "Temporarily manipulate the NixOS firewall"; description = "Temporarily manipulate the NixOS firewall";
license = licenses.mit; license = licenses.mit;
maintainers = with maintainers; [ clerie ]; maintainers = with maintainers; [ clerie rvfg garyguo ];
}; };
} }