diff --git a/nixos/modules/services/networking/firewall.nix b/nixos/modules/services/networking/firewall.nix index 5b3aa19af3bb..5919962837a2 100644 --- a/nixos/modules/services/networking/firewall.nix +++ b/nixos/modules/services/networking/firewall.nix @@ -331,6 +331,17 @@ in ''; }; + package = mkOption { + type = types.package; + default = pkgs.iptables; + defaultText = "pkgs.iptables"; + example = literalExample "pkgs.iptables-nftables-compat"; + description = + '' + The iptables package to use for running the firewall service." + ''; + }; + logRefusedConnections = mkOption { type = types.bool; default = true; @@ -536,7 +547,7 @@ in networking.firewall.trustedInterfaces = [ "lo" ]; - environment.systemPackages = [ pkgs.iptables ] ++ cfg.extraPackages; + environment.systemPackages = [ cfg.package ] ++ cfg.extraPackages; boot.kernelModules = (optional cfg.autoLoadConntrackHelpers "nf_conntrack") ++ map (x: "nf_conntrack_${x}") cfg.connectionTrackingModules; @@ -555,7 +566,7 @@ in before = [ "network-pre.target" ]; after = [ "systemd-modules-load.service" ]; - path = [ pkgs.iptables ] ++ cfg.extraPackages; + path = [ cfg.package ] ++ cfg.extraPackages; # FIXME: this module may also try to load kernel modules, but # containers don't have CAP_SYS_MODULE. So the host system had diff --git a/pkgs/os-specific/linux/iptables/default.nix b/pkgs/os-specific/linux/iptables/default.nix index cf06ff353253..882c24057bbb 100644 --- a/pkgs/os-specific/linux/iptables/default.nix +++ b/pkgs/os-specific/linux/iptables/default.nix @@ -1,32 +1,48 @@ -{ stdenv, fetchurl, bison, flex, pkgconfig, pruneLibtoolFiles -, libnetfilter_conntrack, libnftnl, libmnl, libpcap }: +{ stdenv, fetchurl, pkgconfig, pruneLibtoolFiles, flex, bison +, libmnl, libnetfilter_conntrack, libnfnetlink, libnftnl, libpcap +, nftablesCompat ? false +}: + +with stdenv.lib; stdenv.mkDerivation rec { - pname = "iptables"; version = "1.8.3"; + pname = "iptables"; src = fetchurl { url = "https://www.netfilter.org/projects/${pname}/files/${pname}-${version}.tar.bz2"; sha256 = "106xkkg5crsscjlinxvqvprva23fwwqfgrzl8m2nn841841sqg52"; }; - nativeBuildInputs = [ bison flex pkgconfig pruneLibtoolFiles ]; + nativeBuildInputs = [ pkgconfig pruneLibtoolFiles flex bison ]; - buildInputs = [ libnetfilter_conntrack libnftnl libmnl libpcap ]; + buildInputs = [ libmnl libnetfilter_conntrack libnfnetlink libnftnl libpcap ]; preConfigure = '' export NIX_LDFLAGS="$NIX_LDFLAGS -lmnl -lnftnl" ''; configureFlags = [ - "--enable-devel" - "--enable-shared" "--enable-bpf-compiler" - ]; + "--enable-devel" + "--enable-libipq" + "--enable-nfsynproxy" + "--enable-shared" + ] ++ optional (!nftablesCompat) "--disable-nftables"; outputs = [ "out" "dev" ]; - meta = with stdenv.lib; { + postInstall = optional nftablesCompat '' + rm $out/sbin/{iptables,iptables-restore,iptables-save,ip6tables,ip6tables-restore,ip6tables-save} + ln -sv xtables-nft-multi $out/bin/iptables + ln -sv xtables-nft-multi $out/bin/iptables-restore + ln -sv xtables-nft-multi $out/bin/iptables-save + ln -sv xtables-nft-multi $out/bin/ip6tables + ln -sv xtables-nft-multi $out/bin/ip6tables-restore + ln -sv xtables-nft-multi $out/bin/ip6tables-save + ''; + + meta = { description = "A program to configure the Linux IP packet filtering ruleset"; homepage = https://www.netfilter.org/projects/iptables/index.html; platforms = platforms.linux; diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index e0f4c99793d5..1841cecf83f7 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -15598,7 +15598,9 @@ in iputils = callPackage ../os-specific/linux/iputils { }; - iptables = callPackage ../os-specific/linux/iptables { }; + iptables = iptables-legacy; + iptables-legacy = callPackage ../os-specific/linux/iptables { }; + iptables-nftables-compat = callPackage ../os-specific/linux/iptables { nftablesCompat = true; }; iptstate = callPackage ../os-specific/linux/iptstate { } ;