*: migrate to using nftables.tables instead of ruleset directly
This commit is contained in:
parent
048ef0d455
commit
311d2fa994
3 changed files with 22 additions and 28 deletions
|
@ -70,10 +70,8 @@ in
|
|||
}
|
||||
];
|
||||
|
||||
networking.nftables.ruleset = ''
|
||||
|
||||
table inet nixos-fw {
|
||||
|
||||
networking.nftables.tables."nixos-fw".family = "inet";
|
||||
networking.nftables.tables."nixos-fw".content = ''
|
||||
${optionalString (cfg.checkReversePath != false) ''
|
||||
chain rpfilter {
|
||||
type filter hook prerouting priority mangle + 10; policy drop;
|
||||
|
@ -169,9 +167,6 @@ in
|
|||
|
||||
}
|
||||
''}
|
||||
|
||||
}
|
||||
|
||||
'';
|
||||
|
||||
};
|
||||
|
|
|
@ -145,28 +145,28 @@ in
|
|||
}
|
||||
];
|
||||
|
||||
networking.nftables.ruleset = ''
|
||||
table ip nixos-nat {
|
||||
${mkTable {
|
||||
networking.nftables.tables = {
|
||||
"nixos-nat" = {
|
||||
family = "ip";
|
||||
content = mkTable {
|
||||
ipVer = "ip";
|
||||
inherit dest ipSet;
|
||||
forwardPorts = filter (x: !(isIPv6 x.destination)) cfg.forwardPorts;
|
||||
inherit (cfg) dmzHost;
|
||||
}}
|
||||
}
|
||||
|
||||
${optionalString cfg.enableIPv6 ''
|
||||
table ip6 nixos-nat {
|
||||
${mkTable {
|
||||
ipVer = "ip6";
|
||||
dest = destIPv6;
|
||||
ipSet = ipv6Set;
|
||||
forwardPorts = filter (x: isIPv6 x.destination) cfg.forwardPorts;
|
||||
dmzHost = null;
|
||||
}}
|
||||
}
|
||||
''}
|
||||
'';
|
||||
};
|
||||
};
|
||||
"nixos-nat6" = mkIf cfg.enableIPv6 {
|
||||
family = "ip6";
|
||||
name = "nixos-nat";
|
||||
content = mkTable {
|
||||
ipVer = "ip6";
|
||||
dest = destIPv6;
|
||||
ipSet = ipv6Set;
|
||||
forwardPorts = filter (x: isIPv6 x.destination) cfg.forwardPorts;
|
||||
dmzHost = null;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
networking.firewall.extraForwardRules = optionalString config.networking.firewall.filterForward ''
|
||||
${optionalString (ifaceSet != "") ''
|
||||
|
|
|
@ -20,8 +20,8 @@ import ../make-test-python.nix ({ pkgs, ...} : {
|
|||
networking = {
|
||||
firewall.enable = false;
|
||||
nftables.enable = true;
|
||||
nftables.ruleset = ''
|
||||
table inet filter {
|
||||
nftables.tables."filter".family = "inet";
|
||||
nftables.tables."filter".content = ''
|
||||
chain incoming {
|
||||
type filter hook input priority 0;
|
||||
policy accept;
|
||||
|
@ -36,7 +36,6 @@ import ../make-test-python.nix ({ pkgs, ...} : {
|
|||
type filter hook output priority 0;
|
||||
policy accept;
|
||||
}
|
||||
}
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
|
Loading…
Reference in a new issue