*: migrate to using nftables.tables instead of ruleset directly

This commit is contained in:
Maciej Krüger 2022-12-26 00:28:57 +01:00
parent 048ef0d455
commit 311d2fa994
No known key found for this signature in database
GPG Key ID: 0D948CE19CF49C5F
3 changed files with 22 additions and 28 deletions

View File

@ -70,10 +70,8 @@ in
}
];
networking.nftables.ruleset = ''
table inet nixos-fw {
networking.nftables.tables."nixos-fw".family = "inet";
networking.nftables.tables."nixos-fw".content = ''
${optionalString (cfg.checkReversePath != false) ''
chain rpfilter {
type filter hook prerouting priority mangle + 10; policy drop;
@ -169,9 +167,6 @@ in
}
''}
}
'';
};

View File

@ -145,28 +145,28 @@ in
}
];
networking.nftables.ruleset = ''
table ip nixos-nat {
${mkTable {
networking.nftables.tables = {
"nixos-nat" = {
family = "ip";
content = mkTable {
ipVer = "ip";
inherit dest ipSet;
forwardPorts = filter (x: !(isIPv6 x.destination)) cfg.forwardPorts;
inherit (cfg) dmzHost;
}}
}
${optionalString cfg.enableIPv6 ''
table ip6 nixos-nat {
${mkTable {
ipVer = "ip6";
dest = destIPv6;
ipSet = ipv6Set;
forwardPorts = filter (x: isIPv6 x.destination) cfg.forwardPorts;
dmzHost = null;
}}
}
''}
'';
};
};
"nixos-nat6" = mkIf cfg.enableIPv6 {
family = "ip6";
name = "nixos-nat";
content = mkTable {
ipVer = "ip6";
dest = destIPv6;
ipSet = ipv6Set;
forwardPorts = filter (x: isIPv6 x.destination) cfg.forwardPorts;
dmzHost = null;
};
};
};
networking.firewall.extraForwardRules = optionalString config.networking.firewall.filterForward ''
${optionalString (ifaceSet != "") ''

View File

@ -20,8 +20,8 @@ import ../make-test-python.nix ({ pkgs, ...} : {
networking = {
firewall.enable = false;
nftables.enable = true;
nftables.ruleset = ''
table inet filter {
nftables.tables."filter".family = "inet";
nftables.tables."filter".content = ''
chain incoming {
type filter hook input priority 0;
policy accept;
@ -36,7 +36,6 @@ import ../make-test-python.nix ({ pkgs, ...} : {
type filter hook output priority 0;
policy accept;
}
}
'';
};
};