networking.nftables.gen.enable

Whether to enable whether to enable these nftables rules.

Type: boolean

Default: false

Example: true

Declared by:

networking.nftables.gen.__rendered

Final nftables file string

Type: string

Default: ""

Declared by:

networking.nftables.gen.bridge.enable

Whether to enable enable bridge filtering integration.

Type: boolean

Default: false

Example: true

Declared by:

networking.nftables.gen.bridge.enableArp

Whether to enable allow arp between bridge devices.

Type: boolean

Default: true

Example: true

Declared by:

networking.nftables.gen.bridge.enablePing

Whether to enable allow ping between bridge devices.

Type: boolean

Default: true

Example: true

Declared by:

networking.nftables.gen.bridge.defaultPolicy

default policy inside forward table

Type: string

Default: "drop"

Declared by:

networking.nftables.gen.bridge.interfaceMap

set of bridge devices to set allow list for

Type: attribute set of (submodule)

Default: { }

Example:

{
  eth0 = {
    to = "eth2";
  };
  eth1 = {
    to = [
      "eth0"
      "eth2"
    ];
  };
}

Declared by:

networking.nftables.gen.bridge.interfaceMap.<name>.from

interface to expect ip from

Type: string

Default: "‹name›"

Example: "eth0"

Declared by:

networking.nftables.gen.bridge.interfaceMap.<name>.to

list of interfaces to apply dnat from on host (optional)

Type: string or list of string

Default: [ ]

Example: "eth2"

Declared by:

networking.nftables.gen.bridge.table

inet nft table to apply NAT rules to

Type: string

Default: "br"

Declared by:

networking.nftables.gen.dnat.enable

Whether to enable enable Desination NAT integration.

Type: boolean

Default: false

Example: true

Declared by:

networking.nftables.gen.dnat.gen

generate redirect rules for ports on packets arriving at this host to other IPs

Type: attribute set of (submodule)

Default: { }

Example:

{
  forward-tls = {
    port = 443;
    protocols = [
      "udp"
      "tcp"
    ];
    to = "127.0.0.1";
    toPort = 8443;
  };
  forward-to-host = {
    port = 8080;
    to = "127.0.0.1";
  };
}

Declared by:

networking.nftables.gen.dnat.gen.<name>.comment

comment to add to firewall rule

Type: string

Example: "dnat for `name`"

Declared by:

networking.nftables.gen.dnat.gen.<name>.counter

whether to add counter to forwards

Type: boolean

Default: true

Declared by:

networking.nftables.gen.dnat.gen.<name>.from

list of interfaces to apply dnat from on host (optional)

Type: list of string

Default: [ ]

Example:

[
  "eth0"
]

Declared by:

networking.nftables.gen.dnat.gen.<name>.port

port to DNAT from

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8080

Example: 8080

Declared by:

networking.nftables.gen.dnat.gen.<name>.protocols

protocols to DNAT

Type: list of (one of “tcp”, “udp”)

Default:

[
  "tcp"
]

Declared by:

networking.nftables.gen.dnat.gen.<name>.to

IP address to redirect to

Type: string

Default: "10.1.1.1"

Example: "192.168.0.7"

Declared by:

networking.nftables.gen.dnat.gen.<name>.toPort

port to DNAT to

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: "8080"

Example: 8080

Declared by:

networking.nftables.gen.dnat.inetTable

inet nft table to apply NAT rules to

Type: string

Default: "filter"

Declared by:

networking.nftables.gen.ignoreRegexSanityCheck

Whether to enable enable this to skip the sanity check which looks for re-replaced firewall rules like <-dmz-internal.rockpro->.

Type: boolean

Default: false

Example: true

Declared by:

networking.nftables.gen.overrideNixosNftables

Whether to enable remove nixos defined networking.nftables.tables and sets ruleset to generated rules from gen.

Type: boolean

Default: true

Example: true

Declared by:

networking.nftables.gen.profiles

profiles to enable

Type: list of value “default” (singular enum)

Default:

[
  "default"
]

Declared by:

networking.nftables.gen.rules

shared/reusable rules

Type: attribute set of (submodule)

Default: { }

Declared by:

networking.nftables.gen.rules.<name>.enable

Whether to include rule in final rendered chain.

Type: boolean

Default: true

Declared by:

networking.nftables.gen.rules.<name>.__final

End chain type string.

Type: string

Default: ""

Declared by:

networking.nftables.gen.rules.<name>.__name

Rule name, doesn’t influence rule except setting the comment by default

Type: string

Default: "‹name›"

Declared by:

networking.nftables.gen.rules.<name>.comment

Comment to add to the end of the rule. Default: “”

Example: “allow all to host”

Type: string

Default: "‹name›"

Example: "jump another-chain"

Declared by:

networking.nftables.gen.rules.<name>.counter

Whether to add a counter before the verdict.

Type: boolean

Default: false

Declared by:

networking.nftables.gen.rules.<name>.daddr

Filter by daddr

Type: list of string

Default: [ ]

Example:

[
  "10.1.1.1"
]

Declared by:

networking.nftables.gen.rules.<name>.iif

Filter by iif

Type: list of string

Default: [ ]

Example:

[
  "lan"
]

Declared by:

networking.nftables.gen.rules.<name>.iifname

Filter by iifname

Type: list of string

Default: [ ]

Example:

[
  "lan"
]

Declared by:

networking.nftables.gen.rules.<name>.log

Whether to add a log before the verdict.

Type: boolean

Default: false

Declared by:

networking.nftables.gen.rules.<name>.main

Main action in rule.

{preset filters} {main} {debug flags} {verdict}

Type: string

Default: ""

Example: "meta l4proto { icmp, iv6-icmp }"

Declared by:

networking.nftables.gen.rules.<name>.mapset

Mapset in table mapsets to match

Type: string

Default: ""

Declared by:

networking.nftables.gen.rules.<name>.n

Ordering of rule when evaluated by chain.

Default is: 100.

Type: signed integer

Default: 100

Declared by:

networking.nftables.gen.rules.<name>.oif

Filter by oif

Type: list of string

Default: [ ]

Example:

[
  "wan"
]

Declared by:

networking.nftables.gen.rules.<name>.oifname

Filter by oifname

Type: list of string

Default: [ ]

Example:

[
  "wan"
]

Declared by:

networking.nftables.gen.rules.<name>.pre

extra string snipet to add before auto-generated matchers

Type: string

Default: ""

Example: "meta protocol ip"

Declared by:

networking.nftables.gen.rules.<name>.rewriteLists

string replacements run on rule to generate __final

Type: attribute set of list of string

Default:

{
  match = [
    "__name__"
    "__iifname__"
    "__oifname__"
    "__iif__"
    "__oif__"
    "__saddr__"
    "__daddr__"
  ];
  replace = [
    "‹name›"
    "__iifname__"
    "__oifname__"
    "__iif__"
    "__oif__"
    "__saddr__"
    "__daddr__"
  ];
}

Declared by:

networking.nftables.gen.rules.<name>.rule

Rule to lookup in networking.nftables.gen.rules and set values to.

Type: string

Default: "‹name›"

Example: "icmp-default"

Declared by:

networking.nftables.gen.rules.<name>.ruleReplaceMap

a list of string replacements to run to create final rule

Type: attribute set of (submodule)

Default: { }

Declared by:

networking.nftables.gen.rules.<name>.ruleReplaceMap.<name>.enable

Whether to enable enable string replacement.

Type: boolean

Default: true

Example: true

Declared by:

networking.nftables.gen.rules.<name>.ruleReplaceMap.<name>.replace

string replacement

Type: string

Default: ""

Declared by:

networking.nftables.gen.rules.<name>.ruleReplaceMap.<name>.stringMatch

string to match

Type: string

Default: ""

Declared by:

networking.nftables.gen.rules.<name>.saddr

Filter by saddr

Type: list of string

Default: [ ]

Example:

[
  "10.11.0.0/24"
]

Declared by:

networking.nftables.gen.rules.<name>.tcpDport

Filter by tcp dport

Type: list of signed integer

Default: [ ]

Example:

[
  53
  67
]

Declared by:

networking.nftables.gen.rules.<name>.tcpSport

Filter by tcp sport

Type: list of signed integer

Default: [ ]

Example:

[
  53
  67
]

Declared by:

networking.nftables.gen.rules.<name>.trace

Whether to set an nftrace before the verdict. nftrace set 1

Type: boolean

Default: false

Declared by:

networking.nftables.gen.rules.<name>.udpDport

Filter by udp dport

Type: list of signed integer

Default: [ ]

Example:

[
  53
  67
]

Declared by:

networking.nftables.gen.rules.<name>.udpSport

Filter by udp sport

Type: list of signed integer

Default: [ ]

Example:

[
  53
  67
]

Declared by:

networking.nftables.gen.rules.<name>.verdict

What verdict to add to the end of the rule. Default: “”

Example: “accept”

Type: string

Default: ""

Example: "jump another-chain"

Declared by:

networking.nftables.gen.snat.enable

Whether to enable enable Source NAT integration.

Type: boolean

Default: false

Example: true

Declared by:

networking.nftables.gen.snat.defaultEgress

default egress interfaces for snat interfaces

Type: string or list of string

Default: [ ]

Declared by:

networking.nftables.gen.snat.maps

set of internal interfaces to do snat for

Type: attribute set of (submodule)

Default: { }

Example:

{
          eth0 = { };
          eth1.fromIP = "10.1.1.1";
        }

Declared by:

networking.nftables.gen.snat.maps.<name>.from

interface to expect ip from

Type: string

Default: "‹name›"

Example: "eth0"

Declared by:

networking.nftables.gen.snat.maps.<name>.fromIP

IP address to redirect to

Type: string or list of string

Example: "192.168.0.0/24"

Declared by:

networking.nftables.gen.snat.maps.<name>.to

list of interfaces to apply dnat from on host (optional)

Type: list of string

Default: [ ]

Declared by:

networking.nftables.gen.tables

tables to generate

Type: attribute set of (attribute set of (string or (submodule)))

Default: { }

Declared by:

networking.nftables.gen.tables.<name>.__rendered

Table Module.

Type: strings concatenated with “\n”

Default:

''
  ## Table ‹name›
  table inet ‹name› {
    
    
    
  }
''

Declared by:

networking.nftables.gen.tables.<name>.__type

Table Module.

Type: one of “inet”, “ip”, “ip6”, “bridge”, “netdev”, “arp”

Default: "inet"

Declared by:

networking.nftables.gen.tables.<name>.mapsets

define custom set/map/vmap

Type: attribute set of (submodule)

Default: { }

Declared by:

networking.nftables.gen.tables.<name>.mapsets.<name>.enable

Whether to include rule in final rendered chain.

Type: boolean

Default: true

Declared by:

networking.nftables.gen.tables.<name>.mapsets.<name>.__final

End chain type string.

Type: string

Default: ""

Declared by:

networking.nftables.gen.tables.<name>.mapsets.<name>.__map

end element str

Type: string

Default: ""

Declared by:

networking.nftables.gen.tables.<name>.mapsets.<name>.counter

adds a counter to each element, only applicable to set type

Type: boolean

Default: false

Declared by:

networking.nftables.gen.tables.<name>.mapsets.<name>.elements

element for map, can be a verdict

Type: list of (submodule)

Default: [ ]

Declared by:

networking.nftables.gen.tables.<name>.mapsets.<name>.elements.*.__final

end element str

Type: string

Default: ""

Declared by:

networking.nftables.gen.tables.<name>.mapsets.<name>.elements.*.l

<lhs> of map element, required

Type: null or string or signed integer

Default: null

Declared by:

networking.nftables.gen.tables.<name>.mapsets.<name>.elements.*.r

<rhs> of map element

Type: null or string or signed integer

Default: null

Declared by:

networking.nftables.gen.tables.<name>.mapsets.<name>.elements.*.v

<verdict> of map element

Type: null or string or signed integer

Default: null

Declared by:

networking.nftables.gen.tables.<name>.mapsets.<name>.extraConfig

extra config to add

Type: strings concatenated with “\n”

Default: ""

Declared by:

networking.nftables.gen.tables.<name>.mapsets.<name>.flags

Available options:

  • constant - set content may not change while bound
  • interval - set contains intervals
  • timeout - elements can be added with a timeout

Type: list of (one of “constant”, “interval”, “timeout”)

Default: [ ]

Declared by:

networking.nftables.gen.tables.<name>.mapsets.<name>.lhs

lhs in the map `<lhs> . <rhs>

Type: string

Default: "ipv4_addr"

Declared by:

networking.nftables.gen.tables.<name>.mapsets.<name>.lhsType

type to be used for generating __map verdict

Type: null or string

Default: null

Example: "iifname"

Declared by:

networking.nftables.gen.tables.<name>.mapsets.<name>.name

name of map/set/vmap

Type: string

Default: "‹name›"

Declared by:

networking.nftables.gen.tables.<name>.mapsets.<name>.rhs

rhs in the map `<lhs> . <rhs>

Type: null or string

Default: null

Example: "ifname"

Declared by:

networking.nftables.gen.tables.<name>.mapsets.<name>.rhsType

type to be used for generating __map verdict

Type: null or string

Default: null

Example: "oifname"

Declared by:

networking.nftables.gen.tables.<name>.mapsets.<name>.type

final type of set/map/vmap/natmap

  • set: list or generic sets of elements Nftables Sets

    • list or generic sets

  • map: hashmap/attrs of elements Nftables maps

    • often used with dnat to, snat to, will never be selected by default

  • vmap®: verdict maps Nftables verdict maps can be a vmap or vmapr, vmapr reverses the mapping -[both] match : verdict ( lhs : verdict ) -[vmap] match . match : verdict ( lhs . rhs : verdict ) -[vmapr] match : match . match ( lhs : rhs . verdict ) example usage of vmapr Nftables examples

Type: one of “set”, “map”, “vmap”, “vmapr”

Default: "set"

Declared by:

networking.nftables.gen.tables.<name>.mapsets.<name>.typeDef

final type of set/map/vmap

Type: string

Default: ""

Declared by:

networking.nftables.gen.tables.<name>.mapsets.<name>.typeName

type name to set when defining named map/set/vamp

Type: string

Default: "set"

Declared by:

networking.nftables.gen.tables.<name>.mapsets.<name>.verdict

optional verdict in the map <lhs> : <verdict> or <lhs> . <rhs> : <verdict>

Type: null or string

Default: null

Declared by:

networking.nftables.gen.tables.<name>.mapsets.<name>.verdictType

weird naming, only used for set type where 3 elements are concatenationed together, used to generate typeDef

Type: null or string

Default: null

Example: "oifname"

Declared by: