nixos/firewall: Always use global firewall.allowed rules #50641
Conversation
blaxill
changed the title
blaxill
changed the title
|
Yes. This also hit me. Nevertheless we should document this change as well in https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-1903.xml |
|
See my comment #50625 (comment) |
|
I'm unfamiliar with the nix language, but wouldn't this cause an entry "default" under network.interfaces.* ? That was the previous behavior (and along with the filtering I've verified the correct iptables are generated with this patch. |
|
Oh, I see my mistake now. I'm not so sure about this change though, it adds even more duplication to this script, which has a lot of similar calls to begin with. |
|
You're right that it adds to more duplication- what I was initially trying to do was keep the extra "default" named interface even when there were network.interfaces.* specified. Since the "default" named interface was created previously in the default constructor for network.interfaces, it was removed when any interfaces were set. Unfortunately I'm not too familiar with nix so I'm not sure how to merge the network.allow* into the "default" named interface, if there is something similar you could point me to I will copy that structure. I'll have a tinker and see if I can get something with less duplication. |
Apply global firewall.allowed* rules separately from the interface specific rules.
blaxill
force-pushed
the
firewallMerge
branch
from
b17e54a
to
551d2f7
Compare
|
Oops accidentally closed. |
|
So I've reduced the duplication back to what it originally was, while keeping the functionality of the pull request. Are there additional change requests? |
|
@infinisil any other changes you might want to this? |
|
yes, release notes. This is a breaking change and people might have already adapted to the other behavior. |
| <para> | ||
| NixOS global firewall allow options (<literal>networking.firewall.allow*</literal>) | ||
| are now preserved when setting interface specific rules such as | ||
| <literal>networking.firewall.interfaces.en0.allow*</literal>. |
There was a problem hiding this comment.
| <literal>networking.firewall.interfaces.en0.allow*</literal>. | |
| <literal>networking.firewall.interfaces.en0.allow*</literal>. | |
| The pseudo device <literal>networking.firewall.interfaces.default</literal> was removed | |
| in the process. |
There was a problem hiding this comment.
It kind of still uses a pseudo device but named any which allows you to overwrite individual rules by assigning to networking.firewall.interfaces.any.allow*. Perhaps I should rename that back if it will be less confusing?
There was a problem hiding this comment.
Yes. That would also increase compatibility.
|
@GrahamcOfBorg build nixosTests.firewall |
|
No attempt on x86_64-darwin (full log) The following builds were skipped because they don't evaluate on x86_64-darwin: nixosTests.firewall Partial log (click to expand)
|
|
Success on x86_64-linux (full log) Attempted: nixosTests.firewall Partial log (click to expand)
|
|
Thanks! |
|
Success on aarch64-linux (full log) Attempted: nixosTests.firewall Partial log (click to expand)
|
Apply global firewall.allowed* rules separately from the interface specific rules. This means setting interface specific rules (networking.firewall.INTERFACE.allowed*) will still apply global rules to all interfaces.
Motivation for this change
Currently global networking.firewall.allowed* are dropped for interfaces when they have interface specific rules. Although this was documented, the more intuitive option would be to merge the rules.
#47580
(This supersedes my pull request fail #50625 sorry for that)
Things done
sandboxinnix.confon non-NixOS)nix-shell -p nox --run "nox-review wip"./result/bin/)nix path-info -Sbefore and after)