networking/nftables: enable flushing ruleset for older versions

Co-authored-by: Naïm Favier <n@monade.li>
2022-12-26 00:35:15 +01:00 · 2022-12-26 00:35:15 +01:00 · cd3af25932
commit cd3af25932
parent 311d2fa994
1 changed files with 4 additions and 0 deletions
--- a/nixos/modules/services/networking/nftables.nix
+++ b/nixos/modules/services/networking/nftables.nix
@ -83,6 +83,8 @@ in
      '';
    };

+    networking.nftables.flushRuleset = mkEnableOption (lib.mdDoc "Flush the entire ruleset on each reload.");
+
    networking.nftables.ruleset = mkOption {
      type = types.lines;
      default = "";
@ -209,6 +211,7 @@ in
    boot.blacklistedKernelModules = [ "ip_tables" ];
    environment.systemPackages = [ pkgs.nftables ];
    networking.networkmanager.firewallBackend = mkDefault "nftables";
+    networking.nftables.flushRuleset = mkDefault (versionOlder config.system.stateVersion "23.11");
    systemd.services.nftables = {
      description = "nftables firewall";
      before = [ "network-pre.target" ];
@ -222,6 +225,7 @@ in
          executable = true;
          text = ''
            #! ${pkgs.nftables}/bin/nft -f
+            ${optionalString cfg.flushRuleset "flush ruleset"}
            ${concatStringsSep "\n" (mapAttrsToList (_: table: ''
              table ${table.family} ${table.name}
              delete table ${table.family} ${table.name}