New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/firewall: Always use global firewall.allowed rules #50641
Conversation
Yes. This also hit me. Nevertheless we should document this change as well in https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-1903.xml |
See my comment #50625 (comment) |
I'm unfamiliar with the nix language, but wouldn't this cause an entry "default" under network.interfaces.* ? That was the previous behavior (and along with the filtering I've verified the correct iptables are generated with this patch. |
Oh, I see my mistake now. I'm not so sure about this change though, it adds even more duplication to this script, which has a lot of similar calls to begin with. |
You're right that it adds to more duplication- what I was initially trying to do was keep the extra "default" named interface even when there were network.interfaces.* specified. Since the "default" named interface was created previously in the default constructor for network.interfaces, it was removed when any interfaces were set. Unfortunately I'm not too familiar with nix so I'm not sure how to merge the network.allow* into the "default" named interface, if there is something similar you could point me to I will copy that structure. I'll have a tinker and see if I can get something with less duplication. |
Apply global firewall.allowed* rules separately from the interface specific rules.
b17e54a
to
551d2f7
Compare
Oops accidentally closed. |
So I've reduced the duplication back to what it originally was, while keeping the functionality of the pull request. Are there additional change requests? |
@infinisil any other changes you might want to this? |
yes, release notes. This is a breaking change and people might have already adapted to the other behavior. |
<para> | ||
NixOS global firewall allow options (<literal>networking.firewall.allow*</literal>) | ||
are now preserved when setting interface specific rules such as | ||
<literal>networking.firewall.interfaces.en0.allow*</literal>. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
<literal>networking.firewall.interfaces.en0.allow*</literal>. | |
<literal>networking.firewall.interfaces.en0.allow*</literal>. | |
The pseudo device <literal>networking.firewall.interfaces.default</literal> was removed | |
in the process. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It kind of still uses a pseudo device but named any
which allows you to overwrite individual rules by assigning to networking.firewall.interfaces.any.allow*
. Perhaps I should rename that back if it will be less confusing?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes. That would also increase compatibility.
@GrahamcOfBorg build nixosTests.firewall |
No attempt on x86_64-darwin (full log) The following builds were skipped because they don't evaluate on x86_64-darwin: nixosTests.firewall Partial log (click to expand)
|
Success on x86_64-linux (full log) Attempted: nixosTests.firewall Partial log (click to expand)
|
Thanks! |
Success on aarch64-linux (full log) Attempted: nixosTests.firewall Partial log (click to expand)
|
Apply global firewall.allowed* rules separately from the interface specific rules. This means setting interface specific rules (networking.firewall.INTERFACE.allowed*) will still apply global rules to all interfaces.
Motivation for this change
Currently global networking.firewall.allowed* are dropped for interfaces when they have interface specific rules. Although this was documented, the more intuitive option would be to merge the rules.
#47580
(This supersedes my pull request fail #50625 sorry for that)
Things done
sandbox
innix.conf
on non-NixOS)nix-shell -p nox --run "nox-review wip"
./result/bin/
)nix path-info -S
before and after)