Merge pull request #219455 from K900/remove-conntrack-helpers

- [services.xserver.videoDrivers](options.html#opt-services.xserver.videoDrivers) now defaults to the `modesetting` driver over device-specific ones. The `radeon`, `amdgpu` and `nouveau` drivers are still available, but effectively unmaintained and not recommended for use.

- conntrack helper autodetection has been removed from kernels 6.0 and up upstream, and an assertion was added to ensure things don't silently stop working. Migrate your configuration to assign helpers explicitly or use an older LTS kernel branch as a temporary workaround.

## Other Notable Changes {#sec-release-23.05-notable-changes}

<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->

        assertion = cfg.filterForward -> config.networking.nftables.enable;

        message = "filterForward only works with the nftables based firewall";

      }

      {

        assertion = cfg.autoLoadConntrackHelpers -> lib.versionOlder config.boot.kernelPackages.kernel.version "6";

        message = "conntrack helper autoloading has been removed from kernel 6.0 and newer";

      }

    ];

    networking.firewall.trustedInterfaces = [ "lo" ];

  nagios = handleTest ./nagios.nix {};

  nar-serve = handleTest ./nar-serve.nix {};

  nat.firewall = handleTest ./nat.nix { withFirewall = true; };

  nat.firewall-conntrack = handleTest ./nat.nix { withFirewall = true; withConntrackHelpers = true; };

  nat.standalone = handleTest ./nat.nix { withFirewall = false; };

  nat.nftables.firewall = handleTest ./nat.nix { withFirewall = true; nftables = true; };

  nat.nftables.firewall-conntrack = handleTest ./nat.nix { withFirewall = true; withConntrackHelpers = true; nftables = true; };

  nat.nftables.standalone = handleTest ./nat.nix { withFirewall = false; nftables = true; };

  nats = handleTest ./nats.nix {};

  navidrome = handleTest ./navidrome.nix {};

# client on the inside network, a server on the outside network, and a

# router connected to both that performs Network Address Translation

# for the client.

import ./make-test-python.nix ({ pkgs, lib, withFirewall, withConntrackHelpers ? false, nftables ? false, ... }:

import ./make-test-python.nix ({ pkgs, lib, withFirewall, nftables ? false, ... }:

  let

    unit = if nftables then "nftables" else (if withFirewall then "firewall" else "nat");

          networking.nat.internalIPs = [ "192.168.1.0/24" ];

          networking.nat.externalInterface = "eth1";

        }

        (lib.optionalAttrs withConntrackHelpers {

          networking.firewall.connectionTrackingModules = [ "ftp" ];

          networking.firewall.autoLoadConntrackHelpers = true;

        })

      ];

  in

  {

    name = "nat" + (lib.optionalString nftables "Nftables")

                 + (if withFirewall then "WithFirewall" else "Standalone")

                 + (lib.optionalString withConntrackHelpers "withConntrackHelpers");

                 + (if withFirewall then "WithFirewall" else "Standalone");

    meta = with pkgs.lib.maintainers; {

      maintainers = [ eelco rob ];

    };

                (pkgs.lib.head nodes.router.config.networking.interfaces.eth2.ipv4.addresses).address;

              networking.nftables.enable = nftables;

            }

            (lib.optionalAttrs withConntrackHelpers {

              networking.firewall.connectionTrackingModules = [ "ftp" ];

              networking.firewall.autoLoadConntrackHelpers = true;

            })

          ];

        router =

        client.succeed("curl -v ftp://server/foo.txt >&2")

        # Test whether active FTP works.

        client.${if withConntrackHelpers then "succeed" else "fail"}("curl -v -P - ftp://server/foo.txt >&2")

        client.fail("curl -v -P - ftp://server/foo.txt >&2")

        # Test ICMP.

        client.succeed("ping -c 1 router >&2")