networking.nftables.gen.enable

Whether to enable whether to enable these nftables rules.

Type: boolean

Default: false

Example: true

Declared by:

networking.nftables.gen.__rendered

Final nftables file string

Type: string

Default: ""

Declared by:

networking.nftables.gen.ignoreRegexSanityCheck

Whether to enable enable this to skip the sanity check which looks for re-replaced firewall rules like <-dmz-internal.rockpro->.

Type: boolean

Default: false

Example: true

Declared by:

networking.nftables.gen.profiles

profiles to enable

Type: list of value “default” (singular enum)

Default:

[
  "default"
]

Declared by:

networking.nftables.gen.rules

shared/reusable rules

Type: attribute set of (submodule)

Default: { }

Declared by:

networking.nftables.gen.rules.<name>.enable

Whether to include rule in final rendered chain.

Type: boolean

Default: true

Declared by:

networking.nftables.gen.rules.<name>.__final

End chain type string.

Type: string

Default: ""

Declared by:

networking.nftables.gen.rules.<name>.__name

Rule name, doesn’t influence rule except setting the comment by default

Type: string

Default: "‹name›"

Declared by:

networking.nftables.gen.rules.<name>.comment

Comment to add to the end of the rule. Default: “”

Example: “allow all to host”

Type: string

Default: "‹name›"

Example: "jump another-chain"

Declared by:

networking.nftables.gen.rules.<name>.counter

Whether to add a counter before the verdict.

Type: boolean

Default: false

Declared by:

networking.nftables.gen.rules.<name>.daddr

Filter by daddr

Type: list of string

Default: [ ]

Example:

[
  "10.1.1.1"
]

Declared by:

networking.nftables.gen.rules.<name>.iif

Filter by iif

Type: list of string

Default: [ ]

Example:

[
  "lan"
]

Declared by:

networking.nftables.gen.rules.<name>.iifname

Filter by iifname

Type: list of string

Default: [ ]

Example:

[
  "lan"
]

Declared by:

networking.nftables.gen.rules.<name>.log

Whether to add a log before the verdict.

Type: boolean

Default: false

Declared by:

networking.nftables.gen.rules.<name>.main

Main action in rule.

{preset filters} {main} {debug flags} {verdict}

Type: string

Default: ""

Example: "meta l4proto { icmp, iv6-icmp }"

Declared by:

networking.nftables.gen.rules.<name>.mapset

Mapset in table mapsets to match

Type: string

Default: ""

Declared by:

networking.nftables.gen.rules.<name>.n

Ordering of rule when evaluated by chain.

Default is: 100.

Type: signed integer

Default: 100

Declared by:

networking.nftables.gen.rules.<name>.oif

Filter by oif

Type: list of string

Default: [ ]

Example:

[
  "wan"
]

Declared by:

networking.nftables.gen.rules.<name>.oifname

Filter by oifname

Type: list of string

Default: [ ]

Example:

[
  "wan"
]

Declared by:

networking.nftables.gen.rules.<name>.pre

extra string snipet to add before auto-generated matchers

Type: string

Default: ""

Example: "meta protocol ip"

Declared by:

networking.nftables.gen.rules.<name>.rewriteLists

string replacements run on rule to generate __final

Type: attribute set of list of string

Default:

{
  match = [
    "__name__"
    "__iifname__"
    "__oifname__"
    "__iif__"
    "__oif__"
    "__saddr__"
    "__daddr__"
  ];
  replace = [
    "‹name›"
    "__iifname__"
    "__oifname__"
    "__iif__"
    "__oif__"
    "__saddr__"
    "__daddr__"
  ];
}

Declared by:

networking.nftables.gen.rules.<name>.rule

Rule to lookup in networking.nftables.gen.rules and set values to.

Type: string

Default: "‹name›"

Example: "icmp-default"

Declared by:

networking.nftables.gen.rules.<name>.ruleReplaceMap

a list of string replacements to run to create final rule

Type: attribute set of (submodule)

Default: { }

Declared by:

networking.nftables.gen.rules.<name>.ruleReplaceMap.<name>.enable

Whether to enable enable string replacement.

Type: boolean

Default: true

Example: true

Declared by:

networking.nftables.gen.rules.<name>.ruleReplaceMap.<name>.replace

string replacement

Type: string

Default: ""

Declared by:

networking.nftables.gen.rules.<name>.ruleReplaceMap.<name>.stringMatch

string to match

Type: string

Default: ""

Declared by:

networking.nftables.gen.rules.<name>.saddr

Filter by saddr

Type: list of string

Default: [ ]

Example:

[
  "10.11.0.0/24"
]

Declared by:

networking.nftables.gen.rules.<name>.tcpDport

Filter by tcp dport

Type: list of signed integer

Default: [ ]

Example:

[
  53
  67
]

Declared by:

networking.nftables.gen.rules.<name>.tcpSport

Filter by tcp sport

Type: list of signed integer

Default: [ ]

Example:

[
  53
  67
]

Declared by:

networking.nftables.gen.rules.<name>.trace

Whether to set an nftrace before the verdict. nftrace set 1

Type: boolean

Default: false

Declared by:

networking.nftables.gen.rules.<name>.udpDport

Filter by udp dport

Type: list of signed integer

Default: [ ]

Example:

[
  53
  67
]

Declared by:

networking.nftables.gen.rules.<name>.udpSport

Filter by udp sport

Type: list of signed integer

Default: [ ]

Example:

[
  53
  67
]

Declared by:

networking.nftables.gen.rules.<name>.verdict

What verdict to add to the end of the rule. Default: “”

Example: “accept”

Type: string

Default: ""

Example: "jump another-chain"

Declared by:

networking.nftables.gen.tables

tables to generate

Type: attribute set of (attribute set of (string or (submodule)))

Default: { }

Declared by:

networking.nftables.gen.tables.<name>.__chains

Chains objects

Type: unspecified value

Default: { }

Declared by:

networking.nftables.gen.tables.<name>.__chainsStr

Chains rendered into a string

Type: strings concatenated with “\n”

Default: ""

Declared by:

networking.nftables.gen.tables.<name>.__rendered

Table Module.

Type: strings concatenated with “\n”

Default:

''
  ## Table ‹name›
  table inet ‹name› {
    
    
    
  }
''

Declared by:

networking.nftables.gen.tables.<name>.__type

Table Module.

Type: one of “inet”, “ip”, “ip6”, “bridge”, “netdev”, “arp”

Default: "inet"

Declared by:

networking.nftables.gen.tables.<name>.mapsets

define custom set/map/vmap

Type: attribute set of (submodule)

Default: { }

Declared by:

networking.nftables.gen.tables.<name>.mapsets.<name>.enable

Whether to include rule in final rendered chain.

Type: boolean

Default: true

Declared by:

networking.nftables.gen.tables.<name>.mapsets.<name>.__final

End chain type string.

Type: string

Default: ""

Declared by:

networking.nftables.gen.tables.<name>.mapsets.<name>.__map

end element str

Type: string

Default: ""

Declared by:

networking.nftables.gen.tables.<name>.mapsets.<name>.elements

element for map, can be a verdict

Type: list of (submodule)

Default: [ ]

Declared by:

networking.nftables.gen.tables.<name>.mapsets.<name>.elements.*.__final

end element str

Type: string

Default: ""

Declared by:

networking.nftables.gen.tables.<name>.mapsets.<name>.elements.*.l

<lhs> of map element, required

Type: null or string

Default: null

Declared by:

networking.nftables.gen.tables.<name>.mapsets.<name>.elements.*.r

<rhs> of map element

Type: null or string

Default: null

Declared by:

networking.nftables.gen.tables.<name>.mapsets.<name>.elements.*.v

<verdict> of map element

Type: null or string

Default: null

Declared by:

networking.nftables.gen.tables.<name>.mapsets.<name>.extraConfig

extra config to add

Type: strings concatenated with “\n”

Default: ""

Declared by:

networking.nftables.gen.tables.<name>.mapsets.<name>.flags

Available options:

  • constant - set content may not change while bound
  • interval - set contains intervals
  • timeout - elements can be added with a timeout

Type: list of (one of “constant”, “interval”, “timeout”)

Default: [ ]

Declared by:

networking.nftables.gen.tables.<name>.mapsets.<name>.lhs

lhs in the map `<lhs> . <rhs>

Type: string

Default: "ipv4_addr"

Declared by:

networking.nftables.gen.tables.<name>.mapsets.<name>.lhsType

type to be used for generating __map verdict

Type: null or string

Default: null

Example: "iifname"

Declared by:

networking.nftables.gen.tables.<name>.mapsets.<name>.name

name of map/set/vmap

Type: string

Default: "‹name›"

Declared by:

networking.nftables.gen.tables.<name>.mapsets.<name>.rhs

rhs in the map `<lhs> . <rhs>

Type: null or string

Default: null

Example: "ifname"

Declared by:

networking.nftables.gen.tables.<name>.mapsets.<name>.rhsType

type to be used for generating __map verdict

Type: null or string

Default: null

Example: "oifname"

Declared by:

networking.nftables.gen.tables.<name>.mapsets.<name>.type

final type of set/map/vmap/natmap

  • set: list of elements Nftables Sets
  • map: hashmap/attrs of elements Nftables maps
  • vmap®: verdict maps Nftables verdict maps can be a vmap or vmapr, vmapr reverses the mapping -[both] match : verdict ( lhs : verdict ) -[vmap] match . match : verdict ( lhs . rhs : verdict ) -[vmapr] match : match . match ( lhs : rhs . verdict ) example usage of vmapr Nfatbles examples

Type: one of “set”, “map”, “vmap”, “vmapr”

Default: "set"

Declared by:

networking.nftables.gen.tables.<name>.mapsets.<name>.typeDef

final type of set/map/vmap

Type: string

Default: "ipv4_addr"

Declared by:

networking.nftables.gen.tables.<name>.mapsets.<name>.typeName

type name to set when defining named map/set/vamp

Type: string

Default: "set"

Declared by:

networking.nftables.gen.tables.<name>.mapsets.<name>.verdict

optional verdict in the map <lhs> : <verdict> or <lhs> . <rhs> : <verdict>

Type: null or string

Default: null

Declared by: