duament
commented
3 months ago There's an option for it. Please set networking.nftables.flushRuleset to false. This option is set to false by default since stateVersion "23.11".
Open nagisa opened 5 months ago
duament
commented
3 months ago There's an option for it. Please set networking.nftables.flushRuleset to false. This option is set to false by default since stateVersion "23.11".
Describe the bug
Restarting the
nftables.servicewill clear tables that are set up by other services such assystemd-networkdor e.g.tailscaled.Steps To Reproduce
Steps to reproduce the behavior:
systemd-networkdnetwork with anetworkConfig.IPMasquerade - "both"option;networkdcreating atable ip io.systemd.nat, withsudo nft list tablessudo systemctl restart nftablessudo nft list tablesand observe thattable ip io.systemd.natis now gone.Expected behavior
Restarting the
nftablesservice should not remove the tables from other services, or it should ensure the services know to set up their tables again.The latter seems pretty hard to achieve however. For
networkdnetworkctl reconfigure $interfacewill reset these rules (sudo systemctl reload systemd-networkd.serviceon the other hand will not) so NixOS will know to go through all the interfaces affected interfaces.For tools like
tailscaledthe only way I know right now involves at least a full reconfiguration (so a service restart most likely.)Notify maintainers
No meta.maintainers in nftables firewall module
Metadata
Please run
nix-shell -p nix-info --run "nix-info -m"and paste the result."x86_64-linux"Linux 6.1.68, NixOS, 24.05 (Uakari), 24.05.20240131.b8b232ayesyesnix-env (Nix) 2.18.1/run/current-system/nixpkgsAdd a :+1: reaction to issues you find important.