Rules¶

Rules define what should happen with the trafiic matched by the zones. Each rule has a list of from zones and to zones. A rule only gets applied, if the traffic in question originated in one of the from zones and is heading to one of the to zones.

If matched, the rule can define ports to open, a terminating verdict or any custom nft rules by using extraLines.

Rules are applied from most specific to least specific, traversing the from side before the to side. To allow for more complex setups (mostly custom drop/reject rules) rules are applied in multipe passes. Each rule has a ruleType. Rules are gruped by their type and applied in these groups, so that all rules are applied for the first type, before rules of the next type are taken into consideration.

Options¶

networking.nftables.firewall.rules¶

Name

networking.nftables.firewall.rules

Description

This option has no description.

Type

attribute set of (submodule)

Default

{ }

Declared in

modules/zoned.nix

networking.nftables.firewall.rules.<name>.after¶

Name

networking.nftables.firewall.rules.<name>.after

Description

This option has no description.

Type

non-empty (list of string)

Declared in

modules/zoned.nix

networking.nftables.firewall.rules.<name>.allowedTCPPortRanges¶

Name

networking.nftables.firewall.rules.<name>.allowedTCPPortRanges

Description

This option has no description.

Type

list of (submodule)

Default

[ ]

Example

[ { from = 1337; to = 1347; } ]

Declared in

modules/zoned.nix

networking.nftables.firewall.rules.<name>.allowedTCPPortRanges.*.from¶

Name

networking.nftables.firewall.rules.<name>.allowedTCPPortRanges.*.from

Description

This option has no description.

Type

16 bit unsigned integer; between 0 and 65535 (both inclusive)

Declared in

modules/zoned.nix

networking.nftables.firewall.rules.<name>.allowedTCPPortRanges.*.to¶

Name

networking.nftables.firewall.rules.<name>.allowedTCPPortRanges.*.to

Description

This option has no description.

Type

16 bit unsigned integer; between 0 and 65535 (both inclusive)

Declared in

modules/zoned.nix

networking.nftables.firewall.rules.<name>.allowedTCPPorts¶

Name

networking.nftables.firewall.rules.<name>.allowedTCPPorts

Description

This option has no description.

Type

list of signed integer

Default

[ ]

Declared in

modules/zoned.nix

networking.nftables.firewall.rules.<name>.allowedUDPPortRanges¶

Name

networking.nftables.firewall.rules.<name>.allowedUDPPortRanges

Description

This option has no description.

Type

list of (submodule)

Default

[ ]

Example

[ { from = 55000; to = 56000; } ]

Declared in

modules/zoned.nix

networking.nftables.firewall.rules.<name>.allowedUDPPortRanges.*.from¶

Name

networking.nftables.firewall.rules.<name>.allowedUDPPortRanges.*.from

Description

This option has no description.

Type

16 bit unsigned integer; between 0 and 65535 (both inclusive)

Declared in

modules/zoned.nix

networking.nftables.firewall.rules.<name>.allowedUDPPortRanges.*.to¶

Name

networking.nftables.firewall.rules.<name>.allowedUDPPortRanges.*.to

Description

This option has no description.

Type

16 bit unsigned integer; between 0 and 65535 (both inclusive)

Declared in

modules/zoned.nix

networking.nftables.firewall.rules.<name>.allowedUDPPorts¶

Name

networking.nftables.firewall.rules.<name>.allowedUDPPorts

Description

This option has no description.

Type

list of signed integer

Default

[ ]

Declared in

modules/zoned.nix

networking.nftables.firewall.rules.<name>.before¶

Name

networking.nftables.firewall.rules.<name>.before

Description

This option has no description.

Type

non-empty (list of string)

Declared in

modules/zoned.nix

networking.nftables.firewall.rules.<name>.early¶

Name

networking.nftables.firewall.rules.<name>.early

Description

This option has no description.

Type

boolean

Default

false

Declared in

modules/zoned.nix

networking.nftables.firewall.rules.<name>.enable¶

Name

networking.nftables.firewall.rules.<name>.enable

Description

This option has no description.

Type

boolean

Default

true

Declared in

modules/zoned.nix

networking.nftables.firewall.rules.<name>.extraLines¶

Name

networking.nftables.firewall.rules.<name>.extraLines

Description

This option has no description.

Type

list of string

Default

[ ]

Declared in

modules/zoned.nix

networking.nftables.firewall.rules.<name>.from¶

Name

networking.nftables.firewall.rules.<name>.from

Description

This option has no description.

Type

value "all" (singular enum) or list of string

Declared in

modules/zoned.nix

networking.nftables.firewall.rules.<name>.ignoreEmptyRule¶

Name

networking.nftables.firewall.rules.<name>.ignoreEmptyRule

Description

Usually rules without effect will fail the build. Enable this switch to suppress the check for this rule.

Type

boolean

Default

false

Declared in

modules/zoned.nix

networking.nftables.firewall.rules.<name>.late¶

Name

networking.nftables.firewall.rules.<name>.late

Description

This option has no description.

Type

boolean

Default

false

Declared in

modules/zoned.nix

networking.nftables.firewall.rules.<name>.ruleType¶

Name

networking.nftables.firewall.rules.<name>.ruleType

Description

The type of the rule specifies when rules are applied. The rules are applied in the following order: ban then rule then policy

Usually most rules are of the type rule, the other types are mostly intended to specify special drop/reject rules.

Type

one of "ban", "rule", "policy"

Default

"rule"

Declared in

modules/zoned.nix

networking.nftables.firewall.rules.<name>.to¶

Name

networking.nftables.firewall.rules.<name>.to

Description

This option has no description.

Type

value "all" (singular enum) or list of string

Declared in

modules/zoned.nix

networking.nftables.firewall.rules.<name>.verdict¶

Name

networking.nftables.firewall.rules.<name>.verdict

Description

This option has no description.

Type

null or one of "accept", "drop", "reject"

Default

null

Declared in

modules/zoned.nix