Zones

Zones define a part of network topology. They are usually defined as a list of subnets or by a list of interfaces, though custom rules for matching traffic are possible. There exists an implicit all Zone, that matches all traffic. Traffic originating or targeting the local machine are matched by a predefined zone called fw (short for firewall) by default.

There exists inheritance for zones. Each zone will automatically get the rules of its parent zone applied, after the more specific rules get applied.

Options

networking.nftables.firewall.zones

Name
networking.nftables.firewall.zones
Description

This option has no description.

Type
attribute set of (submodule)
Declared in

modules/zoned.nix

networking.nftables.firewall.zones.<name>.after

Name
networking.nftables.firewall.zones.<name>.after
Description

This option has no description.

Type
non-empty (list of string)
Declared in

modules/zoned.nix

networking.nftables.firewall.zones.<name>.before

Name
networking.nftables.firewall.zones.<name>.before
Description

This option has no description.

Type
non-empty (list of string)
Declared in

modules/zoned.nix

networking.nftables.firewall.zones.<name>.early

Name
networking.nftables.firewall.zones.<name>.early
Description

This option has no description.

Type
boolean
Default
false
Declared in

modules/zoned.nix

networking.nftables.firewall.zones.<name>.egressExpression

Name
networking.nftables.firewall.zones.<name>.egressExpression
Description

ingressExpression and egressExpression contain nft-espressions to match traffic, that defines the zone. Traffic matched by the ingressExpression is considered originating in the zone, while traffic matched by the egressExpression is considered targeting the zone.

If multiple expressions are given, any one of them matching traffic suffices to consider the traffic as part of the zone. This is used eg. when defining a zone as an ipv4 and ipv6 subnet. No Traffic will ever match both, so one matching expression is considered sufficient.

ingressExpression and egressExpression must be balanced, i.e. both lists need to contain the same number of expressions.

ingressExpression and egressExpression are mandatory for all zones except the local zone.

Type
list of string
Default
[ ]
Declared in

modules/zoned.nix

networking.nftables.firewall.zones.<name>.enable

Name
networking.nftables.firewall.zones.<name>.enable
Description

This option has no description.

Type
boolean
Default
true
Declared in

modules/zoned.nix

networking.nftables.firewall.zones.<name>.ingressExpression

Name
networking.nftables.firewall.zones.<name>.ingressExpression
Description

ingressExpression and egressExpression contain nft-espressions to match traffic, that defines the zone. Traffic matched by the ingressExpression is considered originating in the zone, while traffic matched by the egressExpression is considered targeting the zone.

If multiple expressions are given, any one of them matching traffic suffices to consider the traffic as part of the zone. This is used eg. when defining a zone as an ipv4 and ipv6 subnet. No Traffic will ever match both, so one matching expression is considered sufficient.

ingressExpression and egressExpression must be balanced, i.e. both lists need to contain the same number of expressions.

ingressExpression and egressExpression are mandatory for all zones except the local zone.

Type
list of string
Default
[ ]
Declared in

modules/zoned.nix

networking.nftables.firewall.zones.<name>.interfaces

Name
networking.nftables.firewall.zones.<name>.interfaces
Description

Shorthand for defining ingressExpression and egressExpression using iifname and oifname respectively.

This defines the zone as a list of network interfaces.

Type
list of string
Default
[ ]
Example
[ "eth0" ]
Declared in

modules/zoned.nix

networking.nftables.firewall.zones.<name>.ipv4Addresses

Name
networking.nftables.firewall.zones.<name>.ipv4Addresses
Description

Shorthand for defining ingressExpression and egressExpression using ip saddr and ip daddr respectively.

This defines the zone as a list of ipv4 hosts or subnets.

Type
list of string
Default
[ ]
Example
[ "192.168.0.0/24" ]
Declared in

modules/zoned.nix

networking.nftables.firewall.zones.<name>.ipv6Addresses

Name
networking.nftables.firewall.zones.<name>.ipv6Addresses
Description

Shorthand for defining ingressExpression and egressExpression using ip6 saddr and ip6 daddr respectively.

This defines the zone as a list of ipv6 hosts or subnets.

Type
list of string
Default
[ ]
Example
[ "2042::/16" ]
Declared in

modules/zoned.nix

networking.nftables.firewall.zones.<name>.late

Name
networking.nftables.firewall.zones.<name>.late
Description

This option has no description.

Type
boolean
Default
false
Declared in

modules/zoned.nix

networking.nftables.firewall.zones.<name>.parent

Name
networking.nftables.firewall.zones.<name>.parent
Description

Additionally to ingressExpression and egressExpression zones can also be defined as a subzone of another zone. If so, traffic is matched only against the ingressExpression and egressExpression, if the traffic is already considered to be part of the parent zone.

If traffic matches a zone, it will first be tested, if it also matches some of its subzones. If so, the logic of the subzones will be called. If not, or if the subzones did not terminate the rule processing with a verdict, the rules of the parent zone will be applied.

Type
null or string
Default
null
Example
config.networking.nftables.firewall.localZoneName
Declared in

modules/zoned.nix