# Zones
Zones define a part of network topology.
They are usually defined as a list of subnets or by a list of interfaces, though custom rules for matching traffic are possible.
There exists an implicit `all` Zone, that matches all traffic.
Traffic originating or targeting the local machine are matched by a predefined zone called `fw` (short for firewall) by default.
There exists inheritance for zones.
Each zone will automatically get the rules of its parent zone applied, after the more specific rules get applied.
## Options
### networking.nftables.firewall.zones
Name
```
networking.nftables.firewall.zones
```
Description
This option has no description.
Type
```
attribute set of (submodule)
```
Declared in
modules/zoned.nix
### networking.nftables.firewall.zones.<name>.after
Name
```
networking.nftables.firewall.zones.
.after
```
Description
This option has no description.
Type
```
non-empty (list of string)
```
Declared in
modules/zoned.nix
### networking.nftables.firewall.zones.<name>.before
Name
```
networking.nftables.firewall.zones.
.before
```
Description
This option has no description.
Type
```
non-empty (list of string)
```
Declared in
modules/zoned.nix
### networking.nftables.firewall.zones.<name>.early
Name
```
networking.nftables.firewall.zones.
.early
```
Description
This option has no description.
Type
```
boolean
```
Default
```
false
```
Declared in
modules/zoned.nix
### networking.nftables.firewall.zones.<name>.egressExpression
Name
```
networking.nftables.firewall.zones.
.egressExpression
```
Description
`ingressExpression` and `egressExpression` contain nft-espressions
to match traffic, that defines the zone. Traffic matched by the
`ingressExpression` is considered originating in the zone, while
traffic matched by the `egressExpression` is considered targeting
the zone.
If multiple expressions are given, any one of them matching traffic
suffices to consider the traffic as part of the zone. This is used
eg. when defining a zone as an ipv4 and ipv6 subnet. No Traffic
will ever match both, so one matching expression is considered
sufficient.
`ingressExpression` and `egressExpression` must be balanced, i.e.
both lists need to contain the same number of expressions.
`ingressExpression` and `egressExpression` are mandatory for all
zones except the local zone.
Type
```
list of string
```
Default
```
[ ]
```
Declared in
modules/zoned.nix
### networking.nftables.firewall.zones.<name>.enable
Name
```
networking.nftables.firewall.zones.
.enable
```
Description
This option has no description.
Type
```
boolean
```
Default
```
true
```
Declared in
modules/zoned.nix
### networking.nftables.firewall.zones.<name>.ingressExpression
Name
```
networking.nftables.firewall.zones.
.ingressExpression
```
Description
`ingressExpression` and `egressExpression` contain nft-espressions
to match traffic, that defines the zone. Traffic matched by the
`ingressExpression` is considered originating in the zone, while
traffic matched by the `egressExpression` is considered targeting
the zone.
If multiple expressions are given, any one of them matching traffic
suffices to consider the traffic as part of the zone. This is used
eg. when defining a zone as an ipv4 and ipv6 subnet. No Traffic
will ever match both, so one matching expression is considered
sufficient.
`ingressExpression` and `egressExpression` must be balanced, i.e.
both lists need to contain the same number of expressions.
`ingressExpression` and `egressExpression` are mandatory for all
zones except the local zone.
Type
```
list of string
```
Default
```
[ ]
```
Declared in
modules/zoned.nix
### networking.nftables.firewall.zones.<name>.interfaces
Name
```
networking.nftables.firewall.zones.
.interfaces
```
Description
Shorthand for defining `ingressExpression` and `egressExpression`
using `iifname` and `oifname` respectively.
This defines the zone as a list of network interfaces.
Type
```
list of string
```
Default
```
[ ]
```
Example
```
[ "eth0" ]
```
Declared in
modules/zoned.nix
### networking.nftables.firewall.zones.<name>.ipv4Addresses
Name
```
networking.nftables.firewall.zones.
.ipv4Addresses
```
Description
Shorthand for defining `ingressExpression` and `egressExpression`
using `ip saddr` and `ip daddr` respectively.
This defines the zone as a list of ipv4 hosts or subnets.
Type
```
list of string
```
Default
```
[ ]
```
Example
```
[ "192.168.0.0/24" ]
```
Declared in
modules/zoned.nix
### networking.nftables.firewall.zones.<name>.ipv6Addresses
Name
```
networking.nftables.firewall.zones.
.ipv6Addresses
```
Description
Shorthand for defining `ingressExpression` and `egressExpression`
using `ip6 saddr` and `ip6 daddr` respectively.
This defines the zone as a list of ipv6 hosts or subnets.
Type
```
list of string
```
Default
```
[ ]
```
Example
```
[ "2042::/16" ]
```
Declared in
modules/zoned.nix
### networking.nftables.firewall.zones.<name>.late
Name
```
networking.nftables.firewall.zones.
.late
```
Description
This option has no description.
Type
```
boolean
```
Default
```
false
```
Declared in
modules/zoned.nix
### networking.nftables.firewall.zones.<name>.parent
Name
```
networking.nftables.firewall.zones.
.parent
```
Description
Additionally to `ingressExpression` and `egressExpression` zones
can also be defined as a subzone of another zone. If so, traffic
is matched only against the `ingressExpression` and
`egressExpression`, if the traffic is already considered to be
part of the parent zone.
If traffic matches a zone, it will first be tested, if it also
matches some of its subzones. If so, the logic of the subzones
will be called. If not, or if the subzones did not terminate the
rule processing with a verdict, the rules of the parent zone will
be applied.
Type
```
null or string
```
Default
```
null
```
Example
```
config.networking.nftables.firewall.localZoneName
```
Declared in
modules/zoned.nix