networking/nftables: enable flushing ruleset for older versions

Co-authored-by: Naïm Favier <n@monade.li>

1 files changed, 4 insertions, 0 deletions

diff --git a/nixos/modules/services/networking/nftables.nix b/nixos/modules/services/networking/nftables.nix
index 4bc115cd580c..810dc22a20a8 100644
--- a/nixos/modules/services/networking/nftables.nix
+++ b/nixos/modules/services/networking/nftables.nix
@@ -83,6 +83,8 @@ in
       '';
     };
 
+    networking.nftables.flushRuleset = mkEnableOption (lib.mdDoc "Flush the entire ruleset on each reload.");
+
     networking.nftables.ruleset = mkOption {
       type = types.lines;
       default = "";
@@ -209,6 +211,7 @@ in
     boot.blacklistedKernelModules = [ "ip_tables" ];
     environment.systemPackages = [ pkgs.nftables ];
     networking.networkmanager.firewallBackend = mkDefault "nftables";
+    networking.nftables.flushRuleset = mkDefault (versionOlder config.system.stateVersion "23.11");
     systemd.services.nftables = {
       description = "nftables firewall";
       before = [ "network-pre.target" ];
@@ -222,6 +225,7 @@ in
           executable = true;
           text = ''
             #! ${pkgs.nftables}/bin/nft -f
+            ${optionalString cfg.flushRuleset "flush ruleset"}
             ${concatStringsSep "\n" (mapAttrsToList (_: table: ''
               table ${table.family} ${table.name}
               delete table ${table.family} ${table.name}