NixOS · SuperSandro2000 · Oct 18, 2024 · Jul 4, 2024 · Jul 4, 2024 · Jul 4, 2024
diff --git a/maintainers/maintainer-list.nix b/maintainers/maintainer-list.nix
@@ -7608,6 +7608,12 @@
     githubId = 91987;
     name = "Jim Garrison";
   };
+  garyguo = {
+    email = "[email protected]";
+    github = "nbdd0121";
+    githubId = 4065244;
+    name = "Gary Guo";
+  };
   gavin = {
     email = "[email protected]";
     github = "gavinrogers";
@@ -18709,6 +18715,12 @@
     githubId = 141248;
     name = "Ramses";
   };
+  rvfg = {
+    email = "[email protected]";
+    github = "duament";
+    githubId = 30264485;
+    name = "Rvfg";
+  };
   rvl = {
     email = "[email protected]";
     github = "rvl";

diff --git a/nixos/doc/manual/release-notes/rl-2411.section.md b/nixos/doc/manual/release-notes/rl-2411.section.md
@@ -720,6 +720,8 @@
   This saves UPS battery and ensures that host(s) get back up again when power comes back, even in the scenario when the UPS would have had enough capacity to keep power on during the whole power outage.
   If you like the old behaviour of keeping the UPSs on (and emptying the battery) after the host(s) have shut down, and risk not getting a power cycle event to get the host(s) back up, set `power.ups.upsmon.settings.POWERDOWNFLAG = null;`.
 
+- `nixos-firewall-tool` now supports nftables in addition to iptables and is installed by default when NixOS firewall is enabled.
+
 - Support for *runner registration tokens* has been [deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/380872)
   in `gitlab-runner` 15.6 and is expected to be removed in `gitlab-runner` 18.0. Configuration of existing runners
   should be changed to using *runner authentication tokens* by configuring

diff --git a/nixos/modules/services/networking/firewall-iptables.nix b/nixos/modules/services/networking/firewall-iptables.nix
@@ -297,7 +297,6 @@ in
       }
     ];
 
-    environment.systemPackages = [ pkgs.nixos-firewall-tool ];
     networking.firewall.checkReversePath = lib.mkIf (!kernelHasRPFilter) (lib.mkDefault false);
 
     systemd.services.firewall = {

diff --git a/nixos/modules/services/networking/firewall-nftables.nix b/nixos/modules/services/networking/firewall-nftables.nix
@@ -81,6 +81,13 @@ in
 
     networking.nftables.tables."nixos-fw".family = "inet";
     networking.nftables.tables."nixos-fw".content = ''
+        set temp-ports {
+          comment "Temporarily opened ports"
+          type inet_proto . inet_service
+          flags interval
+          auto-merge
+        }
+
         ${lib.optionalString (cfg.checkReversePath != false) ''
           chain rpfilter {
             type filter hook prerouting priority mangle + 10; policy drop;
@@ -147,6 +154,8 @@ in
             ''
           ) cfg.allInterfaces)}
 
+          meta l4proto . th dport @temp-ports accept
+
           ${lib.optionalString cfg.allowPing ''
             icmp type echo-request ${lib.optionalString (cfg.pingLimit != null) "limit rate ${cfg.pingLimit}"} accept comment "allow ping"
           ''}

diff --git a/nixos/modules/services/networking/firewall.nix b/nixos/modules/services/networking/firewall.nix
@@ -274,7 +274,10 @@ in
 
     networking.firewall.trustedInterfaces = [ "lo" ];
 
-    environment.systemPackages = [ cfg.package ] ++ cfg.extraPackages;
+    environment.systemPackages = [
+      cfg.package
+      pkgs.nixos-firewall-tool
+    ] ++ cfg.extraPackages;
 
     boot.kernelModules = (lib.optional cfg.autoLoadConntrackHelpers "nf_conntrack")
       ++ map (x: "nf_conntrack_${x}") cfg.connectionTrackingModules;

diff --git a/nixos/tests/firewall.nix b/nixos/tests/firewall.nix
@@ -3,14 +3,31 @@
 import ./make-test-python.nix ( { pkgs, nftables, ... } : {
   name = "firewall" + pkgs.lib.optionalString nftables "-nftables";
   meta = with pkgs.lib.maintainers; {
-    maintainers = [ ];
+    maintainers = [ rvfg garyguo ];
   };
 
   nodes =
     { walled =
         { ... }:
-        { networking.firewall.enable = true;
-          networking.firewall.logRefusedPackets = true;
+        { networking.firewall = {
+            enable = true;
+            logRefusedPackets = true;
+            # Syntax smoke test, not actually verified otherwise
+            allowedTCPPorts = [ 25 993 8005 ];
+            allowedTCPPortRanges = [
+              { from = 980; to = 1000; }
+              { from = 990; to = 1010; }
+              { from = 8000; to = 8010; }
+            ];
+            interfaces.eth0 = {
+              allowedTCPPorts = [ 10003 ];
+              allowedTCPPortRanges = [ { from = 10000; to = 10005; } ];
+            };
+            interfaces.eth3 = {
+              allowedUDPPorts = [ 10003 ];
+              allowedUDPPortRanges = [ { from = 10000; to = 10005; } ];
+            };
+          };
           networking.nftables.enable = nftables;
           services.httpd.enable = true;
           services.httpd.adminAddr = "[email protected]";
@@ -48,6 +65,14 @@ import ./make-test-python.nix ( { pkgs, nftables, ... } : {
     walled.succeed("curl -v http://attacker/ >&2")
     walled.succeed("ping -c 1 attacker >&2")
 
+    # Open tcp port 80 at runtime
+    walled.succeed("nixos-firewall-tool open tcp 80")
+    attacker.succeed("curl -v http://walled/ >&2")
+
+    # Reset the firewall
+    walled.succeed("nixos-firewall-tool reset")
+    attacker.fail("curl --fail --connect-timeout 2 http://walled/ >&2")
+
     # If we stop the firewall, then connections should succeed.
     walled.stop_job("${unit}")
     attacker.succeed("curl -v http://walled/ >&2")

diff --git a/pkgs/by-name/ni/nixos-firewall-tool/nixos-firewall-tool.sh b/pkgs/by-name/ni/nixos-firewall-tool/nixos-firewall-tool.sh
@@ -2,10 +2,19 @@
 
 set -euo pipefail
 
+# Detect if iptables or nftables-based firewall is used.
+if [[ -e /etc/systemd/system/firewall.service ]]; then
+    BACKEND=iptables
+elif [[ -e /etc/systemd/system/nftables.service ]]; then
+    BACKEND=nftables
+else
+    echo "nixos-firewall-tool: cannot detect firewall backend" >&2
+    exit 1
+fi
+
 ip46tables() {
   iptables -w "$@"
   ip6tables -w "$@"
-
 }
 
 show_help() {
@@ -36,13 +45,34 @@ case $1 in
     protocol="$2"
     port="$3"
 
-    ip46tables -I nixos-fw -p "$protocol" --dport "$port" -j nixos-fw-accept
+    case $BACKEND in
+        iptables)
+            ip46tables -I nixos-fw -p "$protocol" --dport "$port" -j nixos-fw-accept
+            ;;
+        nftables)
+            nft add element inet nixos-fw "temp-ports" "{ $protocol . $port }"
+            ;;
+    esac
   ;;
   "show")
-    ip46tables --numeric --list nixos-fw
+    case $BACKEND in
+        iptables)
+            ip46tables --numeric --list nixos-fw
+            ;;
+        nftables)
+            nft list table inet nixos-fw
+            ;;
+    esac
   ;;
   "reset")
-    systemctl restart firewall.service
+    case $BACKEND in
+        iptables)
+            systemctl restart firewall.service
+            ;;
+        nftables)
+            nft flush set inet nixos-fw "temp-ports"
+            ;;
+    esac
   ;;
   -h|--help|help)
     show_help

diff --git a/pkgs/by-name/ni/nixos-firewall-tool/package.nix b/pkgs/by-name/ni/nixos-firewall-tool/package.nix
@@ -1,15 +1,13 @@
-{ writeShellApplication, iptables, lib }:
+{ writeShellApplication, lib }:
 
 writeShellApplication {
   name = "nixos-firewall-tool";
+
   text = builtins.readFile ./nixos-firewall-tool.sh;
-  runtimeInputs = [
-    iptables
-  ];
 
   meta = with lib; {
     description = "Temporarily manipulate the NixOS firewall";
     license = licenses.mit;
-    maintainers = with maintainers; [ clerie ];
+    maintainers = with maintainers; [ clerie rvfg garyguo ];
   };
 }
-Original file line number
+Diff line change
@@ Expand Up / @@ -297,7 +297,6 @@ in @@
           }
         ];
-        environment.systemPackages = [ pkgs.nixos-firewall-tool ];
         networking.firewall.checkReversePath = lib.mkIf (!kernelHasRPFilter) (lib.mkDefault false);
         systemd.services.firewall = {
@@ Expand Down @@