networking/nftables: add .tables property and disable ruleset flushing by default#207758
networking/nftables: add .tables property and disable ruleset flushing by default#207758mkg20001 merged 10 commits intoNixOS:masterfrom
Conversation
256fc47 to
49ccf93
Compare
ncfavier
left a comment
There was a problem hiding this comment.
Can't really comment on the nftables changes, sorry.
|
We may also disable flushing in execStop to fix #207058. |
There appears to have been a systemd bug systemd/systemd#11238 and it's no longer occuring
What I've added is that if flushRuleset is set to false, then the service will only remove tables it created, but this may be undesired. Opinions? |
|
So I couldn't reproduce it or I did it wrong, but seems the issue is fresh. Not sure how to reproduce then. Added a table with invalid contents and had a failure recorded, nft list ruleset still had the same tables as before. |
|
Thinking about flushRuleset I don't know if it makes sense to have it always off by default. Perhaps the default could be dynamic based on whether or not .tables is being used? Or does that make things even more complicated? |
|
I can't reproduce that issue either. It seems he restarted the |
I prefer to keep it off by default. This prevents deleting tables maintained by other programs like systemd, wg-quick, etc. There's another problem that when the user switches to a profile with firewall disabled, the |
Makes sense. I'll add a note to ruleset+rulesetFile that the user has to delete tables manually
Edit: We need to store it in deletions.nft anyways, since the tables that get removed from config won't be deleted otherwise |
|
A simple solution is to set an empty table when the firewall is disabled. Your solution seems more generic. |
|
@duament .tables allows adding custom tables. We need to handle those aswell. So it must be generic. |
61a95bc to
50d7ec2
Compare
Hrm this means any module we have that uses .tables is automatically turning off flushRuleset, which may not be what users want. Another idea is to disable it if no user extraRules are set. (This is only affecting the option default value, so users can change it anyways) |
|
I made it so flushRuleset is enabled on rulset{,File} being used (plus 23.05 being used so we can backport) Also made rulesetFile and ruleset non-exclusive (there's no assertion for it and there's no good reason I see for it to be exclusive) Not sure if I'm over feature-freeze with this pr? Otherwise feel free to merge |
There was a problem hiding this comment.
after applying this patch with a nixos-rebuild switch, nfttables.service failed with following error:
Apr 22 00:36:33 xx systemd[1]: Reloading nftables firewall...
Apr 22 00:36:33 xx gfzcn50sarqv9s711n1zfy6yky1wa2rf-nftables-rules[1274297]: /nix/store/gfzcn50sarqv9s711n1zfy6yky1wa2rf-nftables-rules:3:1-42: Error: File not found: /var/lib/nftables/deletions.nft
Apr 22 00:36:33 xx gfzcn50sarqv9s711n1zfy6yky1wa2rf-nftables-rules[1274297]: include "/var/lib/nftables/deletions.nft"
Apr 22 00:36:33 xx gfzcn50sarqv9s711n1zfy6yky1wa2rf-nftables-rules[1274297]: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
I have to manually restart nftables.service again to work. Maybe we missed a check for deletionsScriptVar here?
There was a problem hiding this comment.
yes, we missed an ensureDeletions in ExecReload
|
This PR is great. For me the conflict between Considering the reload issue, can I assume that |
We need to run the previous deletions to clean up the previous rules. |
|
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/is-it-possible-to-write-custom-rules-to-the-nixos-firewall/27900/7 |
|
Any movement on this? |
…g by default This allows for other unmanaged tables to co-exist peacefully on the os, by having the nixos-managed tables be re-created atomically and the other tables will simply be left untouched.
Co-authored-by: Naïm Favier <[email protected]>
Co-authored-by: duament
|
Rebased. It turns out the reload error occurs when the service was started before this patchset was applied, as ensureDeletions wasn't run on startup then. So added ensureDeletions to execreload which should fix the error |
| ${table.content} | ||
| } | ||
| '') enabledTables)} | ||
| ${cfg.ruleset} |
There was a problem hiding this comment.
I have some defines in my config like this:
networking.nftables.ruleset = lib.mkBefore ''
define NET_BLA = 128.0.0.0/19
'';
which break with this change, because the config from nftables.tables is inserted here before ruleset.
Not sure if and how we can fix this, just commenting here so you're aware.
There was a problem hiding this comment.
We can either move cfg.ruleset up and/or introduce properly typed nftables.define.<key>
There was a problem hiding this comment.
Not sure what the proper type would be for define tbh. Something like attrsOf str can work, but that doesn't allow for any merging, e.g. of lists/sets. Moving rulset up modifies the behavior from what's on master after this, but maybe it's closer to before? I'll see if I can find the time to run some tests.
Description of changes
This allows for other unmanaged tables to co-exist peacefully on the os,
by having the nixos-managed tables be re-created atomically and the other
tables will simply be left untouched.
Things done
sandbox = trueset innix.conf? (See Nix manual)nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/)nixos/doc/manual/md-to-db.shto update generated release notes