Unverified Commit b6f88484 authored by Maciej Krüger's avatar Maciej Krüger Committed by GitHub
Browse files

Merge pull request #240918 from SuperSandro2000/networkmanager-firewall-backend 

nixos/networkmanager: default firewallBackend to nftables, remove firewallBackend
parents e8ae5984 7fd7b57d

nixos/doc/manual/release-notes/rl-2311.section.md

+1 −0
Original line number Diff line number Diff line
@@ -217,6 +217,7 @@ 
  order, or relying on `mkBefore` and `mkAfter`, but may impact users calling

  `mkOrder n` with n ≤ 400.



- `networking.networkmanager.firewallBackend` was removed as NixOS is now using iptables-nftables-compat even when using iptables, therefore Networkmanager now uses the nftables backend unconditionally.



## Other Notable Changes {#sec-release-23.11-notable-changes}

nixos/modules/services/networking/networkmanager.nix

+17 −25
Original line number Diff line number Diff line
@@ -30,13 +30,11 @@ let 
  configFile = pkgs.writeText "NetworkManager.conf" (lib.concatStringsSep "\n" [

    (mkSection "main" {

      plugins = "keyfile";

      dhcp = cfg.dhcp;

      dns = cfg.dns;

      inherit (cfg) dhcp dns;

      # If resolvconf is disabled that means that resolv.conf is managed by some other module.

      rc-manager =

        if config.networking.resolvconf.enable then "resolvconf"

        else "unmanaged";

      firewall-backend = cfg.firewallBackend;

    })

    (mkSection "keyfile" {

      unmanaged-devices =
@@ -233,15 +231,6 @@ in 
        '';

      };



      firewallBackend = mkOption {

        type = types.enum [ "iptables" "nftables" "none" ];

        default = "iptables";

        description = lib.mdDoc ''

          Which firewall backend should be used for configuring masquerading with shared mode.

          If set to none, NetworkManager doesn't manage the configuration at all.

        '';

      };



      logLevel = mkOption {

        type = types.enum [ "OFF" "ERR" "WARN" "INFO" "DEBUG" "TRACE" ];

        default = "WARN";
@@ -341,7 +330,6 @@ in 
        example = literalExpression ''

          [ {

            source = pkgs.writeText "upHook" '''



              if [ "$2" != "up" ]; then

                logger "exit: event $2 != up"

                exit
@@ -351,7 +339,8 @@ in 
              logger "Device $DEVICE_IFACE coming up"

            ''';

            type = "basic";

          } ]'';

          } ]

        '';

        description = lib.mdDoc ''

          A list of scripts which will be executed in response to network events.

        '';
@@ -413,6 +402,9 @@ in 
      them via the DNS server in your network, or use environment.etc

      to add a file into /etc/NetworkManager/dnsmasq.d reconfiguring hostsdir.

    '')

    (mkRemovedOptionModule [ "networking" "networkmanager" "firewallBackend" ] ''

      This option was removed as NixOS is now using iptables-nftables-compat even when using iptables, therefore Networkmanager now uses the nftables backend unconditionally.

    '')

  ];

nixos/modules/services/networking/nftables.nix

+0 −1
Original line number Diff line number Diff line
@@ -248,7 +248,6 @@ in 
  config = mkIf cfg.enable {

    boot.blacklistedKernelModules = [ "ip_tables" ];

    environment.systemPackages = [ pkgs.nftables ];

    networking.networkmanager.firewallBackend = mkDefault "nftables";

    # versionOlder for backportability, remove afterwards

    networking.nftables.flushRuleset = mkDefault (versionOlder config.system.stateVersion "23.11" || (cfg.rulesetFile != null || cfg.ruleset != ""));

    systemd.services.nftables = {