nixos-firewall-tool: add nftables support

[duament]

Description of changes

Add nftables support in nixos-firewall-tool and enable it by default when NixOS firewall enables.

Also add some tests for nixos-firewall-tool in nixosTests.firewall.

Depends on #275371

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
  • sandbox = relaxed
  • sandbox = true
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 24.05 Release Notes (or backporting 23.05 and 23.11 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

ping @Atemu @clerie

---

Add a 👍 reaction to pull requests you find important.

[Atemu]

Could you split cd362006aced83af980799675184b668ac7cdb04 into two; one that refactors and one that does the actual change? It's hard to tell what it does.

The part pertaining the firewall tool looks pretty good to me though. I can't really review the nftables firewall change; if you want this merged quickly, do those in a separate PR.

[Atemu]

Could you make the iptables backend selection also explicit? There might be more than two firewall implementations in the future and I'd rather throw here than install the iptables firewall tool in that case.

[duament]

Oh, we only have a boolean option networking.nftables.enable for firewall backends. Do you mean we add a new option to set the backend?

[duament]

The part pertaining the firewall tool looks pretty good to me though. I can't really review the nftables firewall change; if you want this merged quickly, do those in a separate PR.

Thanks for your quick review. Unfortunately the firewall tool change depends on the nftables firewall module change. It would be better not to separate them.

[clerie]

Hi @duament, thank you for figuring out a solution to make the nixos-firewall-tool available for nftables.

I agree with #275126 (review) to split out the required changes in the firewall module to the changes in the nixos-firewall-tool. The changes in the nftables module look quite sensible without nixos-firewall-tool too and I would like give people the options to discuss this separately. We can merge both PRs one after another later.

Regarding your change at nixos-firewall-tool I'm not sure yet if it is a good idea to maintain two similarly looking programs as two different code bases.

Future changes in script can break CLI command compatibility with the other. Is this even a requirement?

Passing the backend as a package option causes nix-shell or nix shell commands or using it in ${pkgs.nixos-firewall-tool} to always bring up the iptables version. This can lead to problems when integrating it into scripts for example. Do we care about this or should users rely on having the script in their path?

[NetaliDev]

Suggested change

	- `nixos-firewall-tool` now supports nftables and is installed by default when NixOS firewall enables.
	- `nixos-firewall-tool` now supports nftables and is installed by default when NixOS firewall is enabled.

[NetaliDev]

Why do you not inherit concatStringsSep, mapAttrsToList, ... here too?

[duament]

I agree with #275126 (review) to split out the required changes in the firewall module to the changes in the nixos-firewall-tool. The changes in the nftables module look quite sensible without nixos-firewall-tool too and I would like give people the options to discuss this separately. We can merge both PRs one after another later.

You're right. I created #275371 for the firewall module change.

Regarding your change at nixos-firewall-tool I'm not sure yet if it is a good idea to maintain two similarly looking programs as two different code bases.

Future changes in script can break CLI command compatibility with the other. Is this even a requirement?

Passing the backend as a package option causes nix-shell or nix shell commands or using it in ${pkgs.nixos-firewall-tool} to always bring up the iptables version. This can lead to problems when integrating it into scripts for example. Do we care about this or should users rely on having the script in their path?

I guess we can support both backends in one script and determine which one to use at runtime. Just check if iptables or nft command is in PATH? In this way, we don't need runtimeInputs any more. It also avoid the version mismatch problem.

[nbdd0121]

Reloading nftables for undoing port changes is a bit excessive, see: #286584.

Instead of the current approach, I would suggest add a set of type inet_proto . inet_service, call it something like tool-ports, and let this command do a single flush of this set.

[nbdd0121]

@duament do you still intend to proceed with this PR? I can work on this if you don't have time.

[duament]

@duament do you still intend to proceed with this PR? I can work on this if you don't have time.

Feel free to continue this pr.