nordic-dev.net/nixpkgs
nordic-dev.net/nixpkgs
2
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-01-07 13:33:12 +00:00
Code Issues Packages Projects Releases Wiki Activity
cd3af25932
nixpkgs/nixos/modules/services/networking/nftables.nix
Maciej Krüger cd3af25932
networking/nftables: enable flushing ruleset for older versions 
Co-authored-by: Naïm Favier <n@monade.li>
2023-08-28 00:35:39 +02:00

258 lines
9.0 KiB
Nix
Raw Blame History

{ config, pkgs, lib, ... }:
with lib;
let
cfg = config.networking.nftables;
tableSubmodule = { name, ... }: {
options = {
enable = mkOption {
type = types.bool;
default = true;
description = lib.mdDoc "Enable this table.";
};
name = mkOption {
type = types.str;
description = lib.mdDoc "Table name.";
};
content = mkOption {
type = types.lines;
description = lib.mdDoc "The table content.";
};
family = mkOption {
description = lib.mdDoc "Table family.";
type = types.enum [ "ip" "ip6" "inet" "arp" "bridge" "netdev" ];
};
};
config = {
name = mkDefault name;
};
};
in
{
###### interface
options = {
networking.nftables.enable = mkOption {
type = types.bool;
default = false;
description =
lib.mdDoc ''
Whether to enable nftables and use nftables based firewall if enabled.
nftables is a Linux-based packet filtering framework intended to
replace frameworks like iptables.
Note that if you have Docker enabled you will not be able to use
nftables without intervention. Docker uses iptables internally to
setup NAT for containers. This module disables the ip_tables kernel
module, however Docker automatically loads the module. Please see
<https://github.com/NixOS/nixpkgs/issues/24318#issuecomment-289216273>
for more information.
There are other programs that use iptables internally too, such as
libvirt. For information on how the two firewalls interact, see
<https://wiki.nftables.org/wiki-nftables/index.php/Troubleshooting#Question_4._How_do_nftables_and_iptables_interact_when_used_on_the_same_system.3F>.
'';
};
networking.nftables.checkRuleset = mkOption {
type = types.bool;
default = true;
description = lib.mdDoc ''
Run `nft check` on the ruleset to spot syntax errors during build.
Because this is executed in a sandbox, the check might fail if it requires
access to any environmental factors or paths outside the Nix store.
To circumvent this, the ruleset file can be edited using the preCheckRuleset
option to work in the sandbox environment.
'';
};
networking.nftables.preCheckRuleset = mkOption {
type = types.lines;
default = "";
example = lib.literalExpression ''
sed 's/skgid meadow/skgid nogroup/g' -i ruleset.conf
'';
description = lib.mdDoc ''
This script gets run before the ruleset is checked. It can be used to
create additional files needed for the ruleset check to work, or modify
the ruleset for cases the build environment cannot cover.
'';
};
networking.nftables.flushRuleset = mkEnableOption (lib.mdDoc "Flush the entire ruleset on each reload.");
networking.nftables.ruleset = mkOption {
type = types.lines;
default = "";
example = ''
# Check out https://wiki.nftables.org/ for better documentation.
# Table for both IPv4 and IPv6.
table inet filter {
# Block all incoming connections traffic except SSH and "ping".
chain input {
type filter hook input priority 0;
# accept any localhost traffic
iifname lo accept
# accept traffic originated from us
ct state {established, related} accept
# ICMP
# routers may also want: mld-listener-query, nd-router-solicit
ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept
ip protocol icmp icmp type { destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept
# allow "ping"
ip6 nexthdr icmpv6 icmpv6 type echo-request accept
ip protocol icmp icmp type echo-request accept
# accept SSH connections (required for a server)
tcp dport 22 accept
# count and drop any other traffic
counter drop
}
# Allow all outgoing connections.
chain output {
type filter hook output priority 0;
accept
}
chain forward {
type filter hook forward priority 0;
accept
}
}
'';
description =
lib.mdDoc ''
The ruleset to be used with nftables. Should be in a format that
can be loaded using "/bin/nft -f". The ruleset is updated atomically.
This option conflicts with rulesetFile.
'';
};
networking.nftables.rulesetFile = mkOption {
type = types.nullOr types.path;
default = null;
description =
lib.mdDoc ''
The ruleset file to be used with nftables. Should be in a format that
can be loaded using "nft -f". The ruleset is updated atomically.
This option conflicts with ruleset and nftables based firewall.
'';
};
networking.nftables.tables = mkOption {
type = types.attrsOf (types.submodule tableSubmodule);
default = {};
description = lib.mdDoc ''
Tables to be added to ruleset.
Tables will be added together with delete statements to clean up the table before every update.
'';
example = {
filter = {
family = "inet";
content = ''
# Check out https://wiki.nftables.org/ for better documentation.
# Table for both IPv4 and IPv6.
# Block all incoming connections traffic except SSH and "ping".
chain input {
type filter hook input priority 0;
# accept any localhost traffic
iifname lo accept
# accept traffic originated from us
ct state {established, related} accept
# ICMP
# routers may also want: mld-listener-query, nd-router-solicit
ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept
ip protocol icmp icmp type { destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept
# allow "ping"
ip6 nexthdr icmpv6 icmpv6 type echo-request accept
ip protocol icmp icmp type echo-request accept
# accept SSH connections (required for a server)
tcp dport 22 accept
# count and drop any other traffic
counter drop
}
# Allow all outgoing connections.
chain output {
type filter hook output priority 0;
accept
}
chain forward {
type filter hook forward priority 0;
accept
}
'';
};
};
};
};
###### implementation
config = mkIf cfg.enable {
boot.blacklistedKernelModules = [ "ip_tables" ];
environment.systemPackages = [ pkgs.nftables ];
networking.networkmanager.firewallBackend = mkDefault "nftables";
networking.nftables.flushRuleset = mkDefault (versionOlder config.system.stateVersion "23.11");
systemd.services.nftables = {
description = "nftables firewall";
before = [ "network-pre.target" ];
wants = [ "network-pre.target" ];
wantedBy = [ "multi-user.target" ];
reloadIfChanged = true;
serviceConfig = let
enabledTables = filterAttrs (_: table: table.enable) cfg.tables;
rulesScript = pkgs.writeTextFile {
name = "nftables-rules";
executable = true;
text = ''
#! ${pkgs.nftables}/bin/nft -f
${optionalString cfg.flushRuleset "flush ruleset"}
${concatStringsSep "\n" (mapAttrsToList (_: table: ''
table ${table.family} ${table.name}
delete table ${table.family} ${table.name}
table ${table.family} ${table.name} {
${table.content}
}
'') enabledTables)}
${if cfg.rulesetFile != null then ''
include "${cfg.rulesetFile}"
'' else cfg.ruleset}
'';
checkPhase = lib.optionalString cfg.checkRuleset ''
cp $out ruleset.conf
${cfg.preCheckRuleset}
export NIX_REDIRECTS=/etc/protocols=${pkgs.buildPackages.iana-etc}/etc/protocols:/etc/services=${pkgs.buildPackages.iana-etc}/etc/services
LD_PRELOAD="${pkgs.buildPackages.libredirect}/lib/libredirect.so ${pkgs.buildPackages.lklWithFirewall.lib}/lib/liblkl-hijack.so" \
${pkgs.buildPackages.nftables}/bin/nft --check --file ruleset.conf
'';
};
in {
Type = "oneshot";
RemainAfterExit = true;
ExecStart = rulesScript;
ExecReload = rulesScript;
ExecStop = "${pkgs.nftables}/bin/nft flush ruleset";
};
};
};
}
Reference in New Issue View Git Blame Copy Permalink