nixos/firewalld: init (#398587)

  Refer to the [GNOME release notes](https://release.gnome.org/49/) for more details.

- FirewallD support has been added. It can be configured both as a standalone service (through `services.firewalld`), and as a backend to the existing `networking.firewall` options.

- `networking.firewall` now has a `backend` option for choosing which backend to use.

## New Modules {#sec-release-25.11-new-modules}

<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->

- [umami](https://github.com/umami-software/umami), a simple, fast, privacy-focused alternative to Google Analytics. Available with [services.umami](#opt-services.umami.enable).

- [FirewallD](https://firewalld.org/), a firewall daemon with D-Bus interface providing a dynamic firewall. Available as [services.firewalld](#opt-services.firewalld.enable) and a [networking.firewall.backend](#opt-networking.firewall.backend).

- [FileBrowser](https://filebrowser.org/), a web application for managing and sharing files. Available as [services.filebrowser](#opt-services.filebrowser.enable).

- Options under [networking.getaddrinfo](#opt-networking.getaddrinfo.enable) are now allowed to declaratively configure address selection and sorting behavior of `getaddrinfo` in dual-stack networks.

  ./services/networking/ferm.nix

  ./services/networking/firefox-syncserver.nix

  ./services/networking/fireqos.nix

  ./services/networking/firewall-firewalld.nix

  ./services/networking/firewall-iptables.nix

  ./services/networking/firewall-nftables.nix

  ./services/networking/firewall.nix

  ./services/networking/firewalld

  ./services/networking/firezone/gateway.nix

  ./services/networking/firezone/gui-client.nix

  ./services/networking/firezone/headless-client.nix

{ config, lib, ... }:

let

  cfg = config.networking.firewall;

in

{

  config = lib.mkIf (cfg.enable && cfg.backend == "firewalld") {

    assertions = [

      {

        assertion = cfg.interfaces == { };

        message = ''

          Per interface configurations is not supported with the firewalld based firewall.

          Create zones with `services.firewalld.zones` instead.

        '';

      }

    ];

    boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" =

      if cfg.checkReversePath == false then

        0

      else if cfg.checkReversePath == "loose" then

        1

      else

        2;

    services.firewalld = {

      settings = {

        DefaultZone = lib.mkDefault "nixos-fw-default";

        LogDenied =

          if cfg.logRefusedConnections then

            (if cfg.logRefusedUnicastsOnly then "unicast" else "all")

          else

            "off";

        IPv6_rpfilter =

          if cfg.checkReversePath == false then

            "no"

          else

            let

              mode = if cfg.checkReversePath == true then "strict" else cfg.checkReversePath;

              suffix = if cfg.filterForward then "" else "-forward";

            in

            "${mode}${suffix}";

      };

      zones = {

        nixos-fw-default = {

          target = if cfg.rejectPackets then "%%REJECT%%" else "DROP";

          icmpBlockInversion = true;

          icmpBlocks = lib.mkIf cfg.allowPing [ "echo-request" ];

          ports =

            let

              f = protocol: port: { inherit protocol port; };

              tcpPorts = map (f "tcp") (cfg.allowedTCPPorts ++ cfg.allowedTCPPortRanges);

              udpPorts = map (f "udp") (cfg.allowedUDPPorts ++ cfg.allowedUDPPortRanges);

            in

            tcpPorts ++ udpPorts;

        };

        trusted.interfaces = cfg.trustedInterfaces;

      };

    };

  };

}

in

{

  options = {

    networking.firewall = {

      extraCommands = lib.mkOption {

        type = lib.types.lines;

        '';

      };

    };

  };

  # FIXME: Maybe if `enable' is false, the firewall should still be

  # built but not started by default?

  config = lib.mkIf (cfg.enable && config.networking.nftables.enable == false) {

  config = lib.mkIf (cfg.enable && cfg.backend == "iptables") {

    assertions = [

      # This is approximately "checkReversePath -> kernelHasRPFilter",

      # but the checkReversePath option can include non-boolean

    networking.firewall.checkReversePath = lib.mkIf (!kernelHasRPFilter) (lib.mkDefault false);

    environment.systemPackages = [ pkgs.nixos-firewall-tool ];

    systemd.services.firewall = {

      description = "Firewall";

      wantedBy = [ "sysinit.target" ];

        ExecStop = "@${stopScript} firewall-stop";

      };

    };

  };

}

in

{

  options = {

    networking.firewall = {

      extraInputRules = lib.mkOption {

        type = lib.types.lines;

        '';

      };

    };

  };

  config = lib.mkIf (cfg.enable && config.networking.nftables.enable) {

  config = lib.mkIf (cfg.enable && cfg.backend == "nftables") {

    assertions = [

      {

        assertion = cfg.extraCommands == "";

      }

    ];

    environment.systemPackages = [ pkgs.nixos-firewall-tool ];

    networking.nftables.tables."nixos-fw".family = "inet";

    networking.nftables.tables."nixos-fw".content = ''

      set temp-ports {

        }

      ''}

    '';

  };

}