https://github.com/fooker/nftables.nix
a NixOS module providing declarative configuration of firewall rules using nftables
https://github.com/fooker/nftables.nix
Last synced: 2 months ago
JSON representation
a NixOS module providing declarative configuration of firewall rules using nftables
- Host: GitHub
- URL: https://github.com/fooker/nftables.nix
- Owner: fooker
- Created: 2023-09-09T13:52:23.000Z (over 1 year ago)
- Default Branch: main
- Last Pushed: 2023-09-09T20:59:02.000Z (over 1 year ago)
- Last Synced: 2025-01-30T18:28:49.676Z (4 months ago)
- Language: Nix
- Size: 4.88 KB
- Stars: 3
- Watchers: 2
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: readme.md
Awesome Lists containing this project
README
# Declarative nftables rules for NixOS
`nftables.nix` is a NixOS module providing declarative configuration of firewall rules using nftables.
This modules allows to define nftables rules spread across multiple declaration (and therefore multiple files).
The order of rules is defined by relative positioning to other rules.
To do this, each rule has an explicit name and other rules can be positioned in relation to other names (like "before", "after" or "between").
## Missing features
`nftables.nix` uses a simplified nftables model.
There is a 1-to-1 mapping from protocol families to table names and from hoos to chains - no custom chains.
This is good enough for most filtering cases but does not allow branching.
## How to install
`nftables.nix` can be used as a flake or by directly importing `default.nix` in your module system.
Example using flakes:
```
{
inputs = {
nftables.url = "github:fooker/nftables.nix";
};
outputs = { nftables, ... }: {
nixosSystem = {
modules = [ dns.nixosModules.default ];
};
};
}
```
Example using imports:
```
{
imports = [ /path/to/nftables.nix/default.nix ];
}
```
## How to use
The module defines the `firewall.enable` option which must be set to `true` to enable usage of nftables.
Rules are configured by `firewall.rules` which accepts a function
with a single parameter `dag` allowing to define rules.
The return value of that function must be an attrset having 4 levels:
`${family}.${type}.${chain}.${name}` with a `dagEntry` as values.
|Element |Description |
|--------|--------------------------------|
|`family`| Address familiy and table name |
|`type` | The kind of chain |
|`chain` | Name of the chain |
|`name` | User-defined name of the rule |
The following attributes are supported:
- `ip.filter.prerouting`
- `ip.filter.input`
- `ip.filter.forward`
- `ip.filter.output`
- `ip.filter.postrouting`
- `ip.nat.prerouting`
- `ip.nat.input`
- `ip.nat.output`
- `ip.nat.postrouting`
- `ip.route.output`
- `ip6.filter.prerouting`
- `ip6.filter.input`
- `ip6.filter.forward`
- `ip6.filter.output`
- `ip6.filter.postrouting`
- `ip6.nat.prerouting`
- `ip6.nat.input`
- `ip6.nat.output`
- `ip6.nat.postrouting`
- `ip6.route.output`
- `inet.filter.prerouting`
- `inet.filter.input`
- `inet.filter.forward`
- `inet.filter.output`
- `inet.filter.postrouting`
- `inet.nat.prerouting`
- `inet.nat.input`
- `inet.nat.output`
- `inet.nat.postrouting`
- `arp.filter.input`
- `arp.filter.output`
- `bridge.filter.prerouting`
- `bridge.filter.input`
- `bridge.filter.forward`
- `bridge.filter.output`
- `bridge.filter.postrouting`
- `netdev.filter.ingress`
To create a `dagEntry`, the `dag` parameter passed to the functions assigned to `firewall.rules` can be used.
`dag` provides the following functions:
`dag.anywhere ` Places the `` anywhere in the list of rules.
`dag.after ` Places the `` after a rule named ``.
`dag.before ` Places the `` before a rule named ``.
`dag.between ` Places the `` after a rule named `` and before a rule named ``.
The provided `` can be either a string containing a single nftables rule or a list of these rules.
## Contact, Questions and Bugs
Feel free to [mail me](mailto:[email protected]) or open an issue on this repository.