Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.Sign up
Firewall: Add support for arbitrary rules for input, output and forward #12940
This extends the firewall to support arbitrary rules for the INPUT, OUTPUT and
Logging works as special target. When hits for a rule should be logged, this
The old nixos-fw chain is deleted first. This is only really needed when
For debugging its now possible to run only the ipv6 tests or only the ipv4
This extends the firewall to support arbitrary rules for the INPUT, OUTPUT and FORWARD chains. All the rules are placed in nixos-fw-[input|output|forward] chains. It also adds support to define the default policies of the chains. Logging works as special target. When hits for a rule should be logged, this rule has to be defined twice, once with the LOG target and once with the actual action. Or you just rely on logRejectedPackets. The old nixos-fw chain is deleted first. This is only really needed when switching to this new feature-branch and activiting the config the first time. But for this one case its needed as otherwise the accept and refuse chains can't be deleted. Also delete the invalid chain to allow reload to work. For debugging its now possible to run only the ipv6 tests or only the ipv4 tests. Maybe this should even be extracted into a parameter before including this in nixos.
primeos left a comment
Hey, thank you very much for the PR, it contains some awesome stuff (imho)
However, imho it's a bit too late to get this right for
There is also an issue (and PR as I just noticed) for switching to
(Please note that the review is incomplete, just wanted to note some stuff until I or someone else has the time to do a proper review.)
Please don't merge this - it conflict's with #22586 and there hasn't been any discussion yet!
Just wanted to make sure anyone is aware of this as I can't see how we (currently) can merge them both. I encourage anyone to compare them and decide which one we use (or we could probably use parts from both). I don't really have much time ATM but I created the following issue to share some of my thought/ideas: #23181