nixos-firewall-tool: add nftables support

  This saves UPS battery and ensures that host(s) get back up again when power comes back, even in the scenario when the UPS would have had enough capacity to keep power on during the whole power outage.

  If you like the old behaviour of keeping the UPSs on (and emptying the battery) after the host(s) have shut down, and risk not getting a power cycle event to get the host(s) back up, set `power.ups.upsmon.settings.POWERDOWNFLAG = null;`.

- `nixos-firewall-tool` now supports nftables in addition to iptables and is installed by default when NixOS firewall is enabled.

- Support for *runner registration tokens* has been [deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/380872)

  in `gitlab-runner` 15.6 and is expected to be removed in `gitlab-runner` 18.0. Configuration of existing runners

  should be changed to using *runner authentication tokens* by configuring

      }

    ];

    environment.systemPackages = [ pkgs.nixos-firewall-tool ];

    networking.firewall.checkReversePath = lib.mkIf (!kernelHasRPFilter) (lib.mkDefault false);

    systemd.services.firewall = {

    networking.nftables.tables."nixos-fw".family = "inet";

    networking.nftables.tables."nixos-fw".content = ''

        set temp-ports {

          comment "Temporarily opened ports"

          type inet_proto . inet_service

          flags interval

          auto-merge

        }

        ${lib.optionalString (cfg.checkReversePath != false) ''

          chain rpfilter {

            type filter hook prerouting priority mangle + 10; policy drop;

            ''

          ) cfg.allInterfaces)}

          meta l4proto . th dport @temp-ports accept

          ${lib.optionalString cfg.allowPing ''

            icmp type echo-request ${lib.optionalString (cfg.pingLimit != null) "limit rate ${cfg.pingLimit}"} accept comment "allow ping"

          ''}

    networking.firewall.trustedInterfaces = [ "lo" ];

    environment.systemPackages = [ cfg.package ] ++ cfg.extraPackages;

    environment.systemPackages = [

      cfg.package

      pkgs.nixos-firewall-tool

    ] ++ cfg.extraPackages;

    boot.kernelModules = (lib.optional cfg.autoLoadConntrackHelpers "nf_conntrack")

      ++ map (x: "nf_conntrack_${x}") cfg.connectionTrackingModules;

set -euo pipefail

# Detect if iptables or nftables-based firewall is used.

if [[ -e /etc/systemd/system/firewall.service ]]; then

    BACKEND=iptables

elif [[ -e /etc/systemd/system/nftables.service ]]; then

    BACKEND=nftables

else

    echo "nixos-firewall-tool: cannot detect firewall backend" >&2

    exit 1

fi

ip46tables() {

  iptables -w "$@"

  ip6tables -w "$@"

}

show_help() {

    protocol="$2"

    port="$3"

    case $BACKEND in

        iptables)

            ip46tables -I nixos-fw -p "$protocol" --dport "$port" -j nixos-fw-accept

            ;;

        nftables)

            nft add element inet nixos-fw "temp-ports" "{ $protocol . $port }"

            ;;

    esac

  ;;

  "show")

    case $BACKEND in

        iptables)

            ip46tables --numeric --list nixos-fw

            ;;

        nftables)

            nft list table inet nixos-fw

            ;;

    esac

  ;;

  "reset")

    case $BACKEND in

        iptables)

            systemctl restart firewall.service

            ;;

        nftables)

            nft flush set inet nixos-fw "temp-ports"

            ;;

    esac

  ;;

  -h|--help|help)

    show_help

    exit 0