eyJhb changed the topic of #nixos-on-your-router to: NixOS on your Router || https://logs.nix.samueldr.com/nixos-on-your-router
andi- has quit [Ping timeout: 272 seconds]
andi- has joined #nixos-on-your-router
hexa- has quit [Quit: WeeChat 2.7.1]
hexa- has joined #nixos-on-your-router
hexa- has quit [Client Quit]
hexa- has joined #nixos-on-your-router
hexa- has quit [Client Quit]
hexa- has joined #nixos-on-your-router
<{^_^}> #69265 (by eyJhb, 36 weeks ago, open): networking.firewall.extraCommands: should run before all drop/reject
<eyJhb> It is a looong time ago, but I hope someone has comments on it ( hexa- , andi- , gchristensen, adisbladis )
<eyJhb> Anyone pretty much :D
* andi- avoid the firewall module as much as possible
<andi-> s/avoid/avoids/
<andi-> eyJhb: I am not sure those extra commands are supposed to augment the nixos specific rules or if they should *only* touch rules that they manage.
<eyJhb> andi-: so you don't have it enabled at all?
<eyJhb> Well, it would be nice to allow to insert rules before and after tbh.
<andi-> eyJhb: I do have it enabled but I try to move away from it.. Currently handwriting nft rules (with some nix string templating)
<eyJhb> Ahh :)
<andi-> eyJhb: you can do that with ip6tables -I <chain> <pos> -j LOG --log-prefix "foo: "
<andi-> now there is unfortunately no rulenum with -1 as the 2nd to last element :/
<mdlayher> +1 for nftables
<mdlayher> iptables is madness.
<mdlayher> i can actually read and follow the nft file syntax
<hexa-> i'm on nftables as well
<andi-> mdlayher: can you write a program that checks if an nft file is valid without root privs (or spawning a VM)?
<andi-> That is my main concern with nft right now....
<mdlayher> hm i dunno
<andi-> You can't :)
<andi-> I can't
<andi-> nobody can
<mdlayher> i was going to write an nftables lexer/parser at one point for funsies, especially since we have a pretty good nftables manipulation package for Go
<andi-> all of the known filters (and their syntax?) are only available in the kernel
<andi-> we would need some unpriv interface to verify config / extract syntax trees
<mdlayher> that would be nice. i think the nixos module verifies things before starting up
<hexa-> not sure that is the case
<hexa-> it has a checkScript looking whether ip_tables is loaded and else executes the rulesScript
<hexa-> does a `nft -f` rollback if something fails?
<hexa-> does a `nft -f` script rollback if something fails?
<andi-> it is supposed to be atomic
<andi-> so I would guess so
<andi-> and in my experience it was never in a "broken" state
<hexa-> hm, true
<hexa-> i can't say that either