Official NixOS Wiki

IfState: Difference between revisions

← Older editNewer edit →
VisualWikitext
Felbinger (talk | contribs)
12 edits
m ifstate/netns-examples: switch to ipv4 documentation prefixes (TEST-NET-1/2/3)
Felbinger (talk | contribs)
12 edits
ifstate/known-issues: add firewall
Line 177: Line 177:
}
}


</syntaxhighlight>
=== Known Issues ===
==== Firewall for netns ====
Currently the nixos modules for firewall configuration are not capable of configuring a firewall for a network namespace (see [https://github.com/NixOS/nixpkgs/issues/372414 github:nixpkgs/nixos#372414]).
It's possible to apply the nftables firewall ruleset in all network namespaces by adding the following nix configuration, but this comes with the limitation, that interface names have to be unique across all network namespaces.<syntaxhighlight lang="nixos">
# stolen from https://github.com/secshellnet/nixos/blob/main/modules/firewall.nix
{
  lib,
  pkgs,
  config,
  ...
}:
let
  netns = [ ]; # TODO add the network namespaces to apply the firewall ruleset to here
in
{
  systemd.services = builtins.listToAttrs (
    map (key: {
      name = "nftables@${key}";
      value =
        let
          cfg = config.systemd.services.nftables;
          map' = f: x: if lib.isList x then map f x else f x;
          mapFunc = file: "${lib.getExe' pkgs.iproute2 "ip"} netns exec %i ${file}";
        in
        {
          inherit (cfg)
            conflicts
            wants
            wantedBy
            reloadIfChanged
            ;
          description = "nftables firewall for network namespace %i";
          before = [ "network.target" ];
          after = [
            "network-setup.service"
            "network-pre.target"
            # netns must exist, before firewall rules can be applied
            "ifstate.service"
          ];
          serviceConfig = {
            inherit (cfg.serviceConfig) Type RemainAfterExit StateDirectory;
          }
          // builtins.listToAttrs (
            map
              (key: {
                name = key;
                value = map' mapFunc cfg.serviceConfig.${key};
              })
              [
                "ExecStart"
                "ExecStartPost"
                "ExecStop"
                "ExecReload"
              ]
          );
          unitConfig.DefaultDependencies = false;
        };
    }) netns
  );
}
</syntaxhighlight>
</syntaxhighlight>
Retrieved from "https://wiki.nixos.org/wiki/IfState"