nftables module: absorb into firewall module, rename ruleset options

[flokli]

Problem statement

Right now, we have networking.nftables and networking.firewall.

However, at least since https://github.com/NixOS/nixpkgs/pull/81172 (which got shipped in 21.11) we kinda default to using nftables, and all ip[6]tables/arptables/ebtables invocations essentially only modify nf_tables rules under the hood.

This means, most of the things we do in the nftables NixOS module should also be done by default, not just if we set networking.nftables.enable to true:

    boot.blacklistedKernelModules = [ "ip_tables" ];
    environment.systemPackages = [ pkgs.nftables ];
    networking.networkmanager.firewallBackend = mkDefault "nftables";

• It kinda makes sense to blacklist the kernel module.
• We might want to have the nft binary in $PATH to be able to see and modify these rules (at least in the cases where we have iptables & Co. in $PATH).
• Configuring NetworkManager to use the nftables backend also makes sense. systemd-networkd already does the same.

--

There's an assertion preventing us to enable both the NixOS firewall and the nftables module, as the nftables module also creates a systemd unit that tries to (exclusively) configure all nf_tables tables (which is dooned to fail, as there's other things inserting into it, such as systemd-networkd, and libvirt (through iptables-nft)

Proposed Fix(es)

• Absorb the above three config options into the firewall module, and enable them when firewall is enabled
• Move networking.nftables.ruleset and networking.nftables.rulesetFile somewhere below networking.firewall, with a big fat disclaimer (lib.warn?) stating this doesn't compose with the rest of the NixOS firewall, or other things interacting with the firewall, as it exclusively replaces everything whenever restarted.

cc @fpletz @misuzu @andir

[CMCDragonkai]

What's the status with this atm? As users do we continue to use networking.firewall and expect eventually everything to be moved over? In the mean time, 21.11 exposes nft but it still use iptable rules right?

[flokli]

I didn't put any time into this so far. 21.11 moved to using the nftables kernel infrastructure under the hood, by switching to use iptables-nft instead of iptables. Please see https://github.com/NixOS/nixpkgs/pull/163454/files#diff-1404042f506a34c18654c39bdd712238b5da2cd65493f5cde0a191ca7968a18eR35.

This means, the nft NixOS module currently kinda clashes with the firewall one, and everything else installing rules via nft commands or iptables commands.

[ncfavier]

https://github.com/NixOS/nixpkgs/pull/203011

[mkg20001]

Are there any bigger breakages or would it be possible to move to networking.nftables.enable = true; by default on 24.05 ?

What could be done is to just default make nftables default from 24.05 and keep the iptables options arround as compatibility for as long as necesarry.

[flokli]

The parts needing work here are more the ruleset related parts also mentioned in the issue description.

[onny]

Can we enable nftables firewall backend by default with NixOS 22.04? 🥲

[misuzu]

Can we enable nftables firewall backend by default with NixOS 22.04? 🥲

nftables backend already enabled in https://github.com/NixOS/nixpkgs/pull/81172

[onny]

the default for networking.nftables.enable is still false and therefore nixos/modules/services/networking/firewall-iptables.nix used as implementation instead of nixos/modules/services/networking/firewall-nftables.nix

[misuzu]

the default for networking.nftables.enable is still false and therefore nixos/modules/services/networking/firewall-iptables.nix used as implementation instead of nixos/modules/services/networking/firewall-nftables.nix

Yep, they are the same thing on the kernel side, the difference between these modules is a frontend used to talk to the kernel.