#nixos-on-your-router on 2020-06-02

2019-08-19 13:17 eyJhb changed the topic of #nixos-on-your-router to: NixOS on your Router || https://logs.nix.samueldr.com/nixos-on-your-router

03:08 andi- has quit [Ping timeout: 272 seconds]

03:22 andi- has joined #nixos-on-your-router

03:42 hexa- has quit [Quit: WeeChat 2.7.1]

03:44 hexa- has joined #nixos-on-your-router

03:48 hexa- has quit [Client Quit]

03:50 hexa- has joined #nixos-on-your-router

03:53 hexa- has quit [Client Quit]

03:54 hexa- has joined #nixos-on-your-router

08:31 <eyJhb> Any comments on this? https://github.com/NixOS/nixpkgs/issues/69265

08:31 <{^_^}> #69265 (by eyJhb, 36 weeks ago, open): networking.firewall.extraCommands: should run before all drop/reject

08:33 <eyJhb> It is a looong time ago, but I hope someone has comments on it ( hexa- , andi- , gchristensen, adisbladis )

08:33 <eyJhb> Anyone pretty much :D

09:45 * andi- avoid the firewall module as much as possible

09:45 <andi-> s/avoid/avoids/

09:46 <andi-> eyJhb: I am not sure those extra commands are supposed to augment the nixos specific rules or if they should *only* touch rules that they manage.

09:46 <eyJhb> andi-: so you don't have it enabled at all?

09:46 <eyJhb> Well, it would be nice to allow to insert rules before and after tbh.

09:46 <andi-> eyJhb: I do have it enabled but I try to move away from it.. Currently handwriting nft rules (with some nix string templating)

09:46 <eyJhb> Ahh :)

09:47 <andi-> eyJhb: you can do that with ip6tables -I <chain> <pos> -j LOG --log-prefix "foo: "

09:49 <andi-> now there is unfortunately no rulenum with -1 as the 2nd to last element :/

11:31 <mdlayher> +1 for nftables

11:31 <mdlayher> iptables is madness.

11:31 <mdlayher> i can actually read and follow the nft file syntax

12:29 <hexa-> i'm on nftables as well

12:38 <andi-> mdlayher: can you write a program that checks if an nft file is valid without root privs (or spawning a VM)?

12:38 <andi-> That is my main concern with nft right now....

12:41 <mdlayher> hm i dunno

12:41 <andi-> You can't :)

12:41 <andi-> I can't

12:41 <andi-> nobody can

12:41 <mdlayher> i was going to write an nftables lexer/parser at one point for funsies, especially since we have a pretty good nftables manipulation package for Go

12:42 <andi-> all of the known filters (and their syntax?) are only available in the kernel

12:42 <andi-> we would need some unpriv interface to verify config / extract syntax trees

12:43 <mdlayher> that would be nice. i think the nixos module verifies things before starting up

13:08 <hexa-> not sure that is the case

13:09 <hexa-> it has a checkScript looking whether ip_tables is loaded and else executes the rulesScript

13:09 <hexa-> does a `nft -f` rollback if something fails?

13:09 <hexa-> does a `nft -f` script rollback if something fails?

13:10 <andi-> it is supposed to be atomic

13:10 <andi-> so I would guess so

13:10 <andi-> and in my experience it was never in a "broken" state

13:10 <hexa-> hm, true

13:10 <hexa-> i can't say that either