What packet filtering subsystem do you use and why for your nixOS router?

I’m contemplating creating a NixOS router. I plan on leaving the fair country of pfsense.

I’m continuing the conversation from:

With a GNU/Linux system I need to decide what subsystem to use for packet filtering.
In OpenBSD, one simply uses pf.
I’m curious and researched GNU/Linux packet filtering as of 2024.
I’ve learned:

  • iptables historical, standard
  • nftables - successor to iptables
  • eBPF - paradigm shift for kernel interfacing. I read Cloudflare built a firewall service with it.

What subsystem do recent versions of NixOS use?
The manual doesn’t mention which. The wiki firewall page says it uses iptables but I don’t trust the wiki :stuck_out_tongue:

Which subsystem do you use and why?

iptables and nftables are offered. eBPF can be used with both of the previous ones.

There are other options like writing your own XDP program, DPDK, using something like P4 and compiling to eBPF bytecode, etc.

The latter ones are more obscure and requires expertise, the former are trivial and are offered on the shelf.

I just use nftables except if I have a good reason to use something more complicated.

1 Like

Packet filtering can mean multiple things. For blocking ip addresses or network ranges entirely I use ip route add blackhole <ip address>

I used nftables before but with a few thousand rules on my router my internet connection slowed down considerably.

1 Like

iptables and nftables are the same under the hood on NixOS, the difference is mainly in a cli frontend

1 Like

Neat idea! I’m curious and unfamiliar with ip. Do you know what subsystem ip uses? Or any beginner documentation for a noob like me :slight_smile:

ip is in the iproute2 package and is the default network tool for Linux. A good read is https://wiki.linuxfoundation.org/networking/iproute2 and iproute2 cheat sheet

Some basic commands:

ip address show
ip address show dev eno1
ip route show
ip -6 route show
ip route get
ip route get

Which can be shortened to:

ip a s
ip r s
ip -6 r s
ip r g
ip r g
1 Like