From 3ef0e6a0b7b94c4fdc22d7137f145031397c7001 Mon Sep 17 00:00:00 2001 From: Jan Beinke Date: Thu, 14 Dec 2023 19:09:48 +0100 Subject: [PATCH] Enable `nnf-common` snippet by default, but emit a warning if not manually defined --- checks/testCommon.nix | 1 + checks/testEmpty.nix | 1 + checks/testForward.nix | 1 + checks/testInheritance.nix | 1 + checks/testNat.nix | 1 + checks/testPortRules.nix | 1 + checks/testRuleType.nix | 1 + checks/testWebserver.nix | 1 + checks/testZoneExpressions.nix | 1 + docs/quickstart.md | 1 - nftables-snippets.nix | 10 +++++++++- nftables-zoned.nix | 14 ++++++++++++++ 12 files changed, 32 insertions(+), 2 deletions(-) diff --git a/checks/testCommon.nix b/checks/testCommon.nix index 8fe9294..a779e20 100644 --- a/checks/testCommon.nix +++ b/checks/testCommon.nix @@ -7,6 +7,7 @@ machineTest ({config, ...}: { imports = [flakes.self.nixosModules.default]; networking.nftables.firewall = { + enable = true; snippets.nnf-common.enable = true; }; diff --git a/checks/testEmpty.nix b/checks/testEmpty.nix index 3da4c00..8a051fe 100644 --- a/checks/testEmpty.nix +++ b/checks/testEmpty.nix @@ -8,6 +8,7 @@ machineTest ({config, ...}: { networking.nftables.firewall = { enable = true; + snippets.nnf-common.enable = false; }; output = { diff --git a/checks/testForward.nix b/checks/testForward.nix index 77b792b..1d8c911 100644 --- a/checks/testForward.nix +++ b/checks/testForward.nix @@ -8,6 +8,7 @@ machineTest ({config, ...}: { networking.nftables.firewall = { enable = true; + snippets.nnf-common.enable = false; zones.a.interfaces = ["a"]; zones.b.interfaces = ["b"]; diff --git a/checks/testInheritance.nix b/checks/testInheritance.nix index 0017ac7..3f2077d 100644 --- a/checks/testInheritance.nix +++ b/checks/testInheritance.nix @@ -8,6 +8,7 @@ machineTest ({config, ...}: { networking.nftables.firewall = { enable = true; + snippets.nnf-common.enable = false; zones.a.interfaces = ["a"]; diff --git a/checks/testNat.nix b/checks/testNat.nix index 45954de..8842159 100644 --- a/checks/testNat.nix +++ b/checks/testNat.nix @@ -7,6 +7,7 @@ machineTest ({config, ...}: { imports = [flakes.self.nixosModules.default]; networking.nftables.firewall = { + enable = true; snippets.nnf-common.enable = true; zones.a.interfaces = ["a"]; zones.b.interfaces = ["b"]; diff --git a/checks/testPortRules.nix b/checks/testPortRules.nix index 79b3b1b..6f5f05b 100644 --- a/checks/testPortRules.nix +++ b/checks/testPortRules.nix @@ -8,6 +8,7 @@ machineTest ({config, ...}: { networking.nftables.firewall = { enable = true; + snippets.nnf-common.enable = false; rules.nose = { from = "all"; to = ["fw"]; diff --git a/checks/testRuleType.nix b/checks/testRuleType.nix index e00ef6b..04f3141 100644 --- a/checks/testRuleType.nix +++ b/checks/testRuleType.nix @@ -8,6 +8,7 @@ machineTest ({config, ...}: { networking.nftables.firewall = { enable = true; + snippets.nnf-common.enable = false; rules.rule = { from = "all"; diff --git a/checks/testWebserver.nix b/checks/testWebserver.nix index 1887544..870b0ea 100644 --- a/checks/testWebserver.nix +++ b/checks/testWebserver.nix @@ -7,6 +7,7 @@ machineTest ({config, ...}: { imports = [flakes.self.nixosModules.default]; networking.nftables.firewall = { + enable = true; snippets.nnf-common.enable = true; rules.webserver = { from = "all"; diff --git a/checks/testZoneExpressions.nix b/checks/testZoneExpressions.nix index 0b81624..6513444 100644 --- a/checks/testZoneExpressions.nix +++ b/checks/testZoneExpressions.nix @@ -7,6 +7,7 @@ machineTest ({config, ...}: { imports = [flakes.self.nixosModules.default]; networking.nftables.firewall = { + enable = true; snippets.nnf-common.enable = true; zones.a.interfaces = ["a"]; zones.a.ipv4Addresses = ["192.168.1.0/24"]; diff --git a/docs/quickstart.md b/docs/quickstart.md index 9cbce85..6f9cafe 100644 --- a/docs/quickstart.md +++ b/docs/quickstart.md @@ -49,7 +49,6 @@ We will look at the following `configuration.nix´. snippets.nnf-common.enable = true; ``` This will enable the firewall and also the `nnf-common` snippet. -(Actually the snippet will also enable the firewall, so if you are using it, enabling it by hand is not required.) ### Zones Next we will add some [zones](zones): diff --git a/nftables-snippets.nix b/nftables-snippets.nix index efd1c2e..14fc3f7 100644 --- a/nftables-snippets.nix +++ b/nftables-snippets.nix @@ -73,8 +73,16 @@ in { }; config = mkMerge [ + { + assertions = [ + { + assertion = cfg.nnf-common.enable -> config.networking.nftables.firewall.enable; + message = "You enabled the `nnf-common` firewall snippet, but you did not enable the firewall itself."; + } + ]; + } + (mkIf cfg.nnf-common.enable { - networking.nftables.firewall.enable = true; networking.nftables.firewall.snippets = mkDefault { nnf-conntrack.enable = true; nnf-default-stopRuleset.enable = true; diff --git a/nftables-zoned.nix b/nftables-zoned.nix index 46cd87b..f318752 100644 --- a/nftables-zoned.nix +++ b/nftables-zoned.nix @@ -309,6 +309,20 @@ in { } ]; + networking.nftables.firewall.snippets.nnf-common.enable = let + msg = concatStringsSep " " [ + "To ease the migration for the nixos-nftables-firewall moving to snippets" + "the option `networking.nftables.firewall.snippets.nnf-common.enable` has" + "been defaulted to `true`. It will some day be switched to default to `false`" + "Please review, if these snippets do, what you need, make overrides as needed" + "and be warned, that their functionality might change in the future." + "You can read more about snippets here:\n" + "https://thelegy.github.io/nixos-nftables-firewall/snippets/\n" + "To remove this warning manually define the option." + ]; + in + mkOverride 1499 (warn msg true); + networking.nftables.firewall.zones.${cfg.localZoneName} = { localZone = true; };