Commit dc49e8c9 authored by git@71rd.net's avatar git@71rd.net
Browse files

nixos/nftables: replace script with file 

nftables service successfully restarts or reloads if the file
`/var/lib/nftables/deletions.nft` is on a partition that was mounted as noexec,
and delete previous rules.
Instead of writing a deletion script, the service creates a simple
file where nftables rules are written to that is used as an argument
for the `nft` command to delete rules upon stop,restart, or reload.
parent 62dc67aa

nixos/modules/services/networking/nftables.nix

+2 −3
Original line number Diff line number Diff line
@@ -298,7 +298,6 @@ in 
        let

          enabledTables = lib.filterAttrs (_: table: table.enable) cfg.tables;

          deletionsScript = pkgs.writeScript "nftables-deletions" ''

            #! ${pkgs.nftables}/bin/nft -f

            ${

              if cfg.flushRuleset then

                "flush ruleset"
@@ -313,9 +312,9 @@ in 
            ${cfg.extraDeletions}

          '';

          deletionsScriptVar = "/var/lib/nftables/deletions.nft";

          makeDeletions = "${pkgs.nftables}/bin/nft -f ${deletionsScriptVar}";

          ensureDeletions = pkgs.writeShellScript "nftables-ensure-deletions" ''

            touch ${deletionsScriptVar}

            chmod +x ${deletionsScriptVar}

          '';

          saveDeletionsScript = pkgs.writeShellScript "nftables-save-deletions" ''

            cp ${deletionsScript} ${deletionsScriptVar}
@@ -380,7 +379,7 @@ in 
            saveDeletionsScript

          ];

          ExecStop = [

            deletionsScriptVar

            makeDeletions

            cleanupDeletionsScript

          ];

          StateDirectory = "nftables";