From 1ad0a7751c166cfe190122b70a06cf80c5491709 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Moira=20H=C3=B6sel?= <moira@moira.is>
Date: Sun, 7 Apr 2024 15:57:51 +0200
Subject: [PATCH] use networking.firewall instead of nftables.ruleset

---
 parsons/nftables.nix | 73 ++++++++------------------------------------
 1 file changed, 12 insertions(+), 61 deletions(-)

diff --git a/parsons/nftables.nix b/parsons/nftables.nix
index 6e5ebc0..a9e6614 100644
--- a/parsons/nftables.nix
+++ b/parsons/nftables.nix
@@ -1,7 +1,7 @@
 { config, lib, pkgs, ... }:
 
 {
-  networking.firewall.enable = false;
+  networking.firewall.enable = true;
   networking.nat.enable = false;
   boot = {
     kernelModules = [ "nf_nat_ftp" ];
@@ -11,67 +11,18 @@
     };
   };
 
-  networking.nftables = {
-    enable = true;
-
-    ruleset = ''
-      table inet filter {
-        chain input {
-          type filter hook input priority filter
-          policy drop
-
-          icmpv6 type {
-            echo-request,
-            echo-reply,
-            mld-listener-query,
-            mld-listener-report,
-            mld-listener-done,
-            nd-router-advert,
-            nd-neighbor-solicit,
-            nd-neighbor-advert,
-            packet-too-big
-          } accept
-
-          icmp type echo-request accept
-
-          ct state invalid drop
-          ct state established,related accept
-
-          iifname { lo } accept
-
-          tcp dport { 25, 80, 443, 465, 587, 993, 4190, 62954, 64738 } accept
-
-          udp dport { 60000-61000, 64738 } accept
-
-          # DHCPv6
-          ip6 daddr fe80::/64 udp dport 546 accept
-
-          counter
-        }
-        chain output {
-          type filter hook output priority filter
-          policy accept
-
-          counter
-        }
-        chain forward {
-          type filter hook forward priority filter
-          policy accept
-
-          counter
-        }
+  networking.nftables.enable = true;
+  networking.nftables.tables.nat = {
+    family = "ip";
+    content = ''
+      chain prerouting {
+        type nat hook prerouting priority -100
+        iifname enp35s0 tcp dport { 22 } dnat ${config.containers.forgejo.localAddress}:22
       }
-
-      table ip nat {
-        chain prerouting {
-          type nat hook prerouting priority -100
-          iifname enp35s0 tcp dport { 22 } dnat ${config.containers.forgejo.localAddress}:22
-        }
-        chain postrouting {
-          type nat hook postrouting priority 100
-          iifname lxcbr0 oifname enp35s0 masquerade
-          iifname ve-* oifname enp35s0 masquerade
-        }
+      chain postrouting {
+        type nat hook postrouting priority 100
+        iifname lxcbr0 oifname enp35s0 masquerade
+        iifname ve-* oifname enp35s0 masquerade
       }
     '';
   };