With DefaultDependencies enabled, systemd adds "After=basic.target" to
service units. `basic.target` has a dependency on `sockets.target`, so
the `nftables` has (amongst others) the following order constraints:
* Before=network-pre.target
* After=sockets.target
Those constraints are often unsatisfiable. For example, `systemd-networkd`
has a dependency `After=network-pre.target`. When a socket unit now uses
`BindToDevice=` on a device managed by `networkd`, a timeout occurs
because `networkd` waits for `network-pre.target`, but
`network-pre.target` depends (through nftables) on `sockets.target`, but
the device to bind the socket to is never brought up, as this would
happen through `networkd`.
This is fixed by removing the implicit dependency on `basic.target`.
This allows for other unmanaged tables to co-exist peacefully on the os,
by having the nixos-managed tables be re-created atomically and the other
tables will simply be left untouched.
this mostly means marking options that use markdown already
appropriately and making a few adjustments so they still render
correctly. notable for nftables we have to transform the md links
because the manpage would not render them correctly otherwise.
the conversion procedure is simple:
- find all things that look like options, ie calls to either `mkOption`
or `lib.mkOption` that take an attrset. remember the attrset as the
option
- for all options, find a `description` attribute who's value is not a
call to `mdDoc` or `lib.mdDoc`
- textually convert the entire value of the attribute to MD with a few
simple regexes (the set from mdize-module.sh)
- if the change produced a change in the manual output, discard
- if the change kept the manual unchanged, add some text to the
description to make sure we've actually found an option. if the
manual changes this time, keep the converted description
this procedure converts 80% of nixos options to markdown. around 2000
options remain to be inspected, but most of those fail the "does not
change the manual output check": currently the MD conversion process
does not faithfully convert docbook tags like <code> and <package>, so
any option using such tags will not be converted at all.
* nixos/nftables: Allow use with iptables
Since iptables and nftables do not actually conflict with each other, there's no real reason to artificially prevent people from combining them.
In fact, this practice is known to cause issues like #88643, which is fixed by this commit.
services.networking.firewall might have existed during import of this
module in 2016, but it is unknown as of today.
Point to the proper boolean knob to avoid confusion.
reason:
- We currently have an open discussion regarding a more modular
firewall (https://github.com/NixOS/nixpkgs/issues/23181) and
leaving null makes future extension easier.
- the current default might not cover all use cases (different ssh port)
and might break setups, if applied blindly