Preferred/"modern" way to configure more advanced nftables modularly

I have been alternating between networking.firewall.allowedTCPPorts to networking.nftables.ruleset = ... depending on whether I needed more advanced expressions that are not covered by the former.

Recently I discovered networking.nftables.tables.filter... and tested it in a deployment. However, I don’t like the (lack of) modularity this brings.

For instance, I used to declare my global firewall in fw.nix, but e.g. nomad specific rules in nomad.nix, which I prefer as a paradigm, because if I stop importing nomad.nix in configuration.nix automatically all nomad-related config will not be considered. (This paradigm should always be the way to factor a NixOS config IMO).

It appears I cannot mix nftables.tables and firewall.allowed.... (which of course makes sense). In other words, it’s still a bit messy and not well documented which firewall.... attributes constitute completely different config methods.

So which one is the “preferred” NixOS-native method that simultaneously supports more advanced (e.g. “state based rules” like for established etc.)?

EDIT: actually it appears that it’s possible to mix “high level” things like allowedTCPPorts with tables, the former will be added to table inet nixos-fw in chain input-allow, BUT they may get bypassed if there are jumps in the tables rules, so it’s difficult to not mess up…

1 Like