I’m contemplating creating a NixOS router. I plan on leaving the fair country of pfsense.
I’m continuing the conversation from:
With a GNU/Linux system I need to decide what subsystem to use for packet filtering.
In OpenBSD, one simply uses pf.
I’m curious and researched GNU/Linux packet filtering as of 2024.
- iptables historical, standard
- nftables - successor to iptables
- eBPF - paradigm shift for kernel interfacing. I read Cloudflare built a firewall service with it.
What subsystem do recent versions of NixOS use?
The manual doesn’t mention which. The wiki firewall page says it uses iptables but I don’t trust the wiki
Which subsystem do you use and why?
iptables and nftables are offered. eBPF can be used with both of the previous ones.
There are other options like writing your own XDP program, DPDK, using something like P4 and compiling to eBPF bytecode, etc.
The latter ones are more obscure and requires expertise, the former are trivial and are offered on the shelf.
I just use nftables except if I have a good reason to use something more complicated.
Packet filtering can mean multiple things. For blocking ip addresses or network ranges entirely I use
ip route add blackhole <ip address>
I used nftables before but with a few thousand rules on my router my internet connection slowed down considerably.
iptables and nftables are the same under the hood on NixOS, the difference is mainly in a cli frontend
Neat idea! I’m curious and unfamiliar with
ip. Do you know what subsystem
ip uses? Or any beginner documentation for a noob like me
ip is in the
iproute2 package and is the default network tool for Linux. A good read is https://wiki.linuxfoundation.org/networking/iproute2 and iproute2 cheat sheet
Some basic commands:
ip address show
ip address show dev eno1
ip route show
ip -6 route show
ip route get 220.127.116.11
ip route get 127.0.0.1
Which can be shortened to:
ip a s
ip r s
ip -6 r s
ip r g 18.104.22.168
ip r g 127.0.0.1