feat(nftables): update to new nftables firewall branch

modules/config/nftables.nix

@@ -27,43 +27,28 @@
 
     firewall = {
       enable = true;
-
-      # TODO mkForce nftables
-      zones = lib.mkForce {
-        local.localZone = true;
+      localZoneName = "local";
+      snippets = {
+        nnf-conntrack.enable = true;
+        nnf-drop.enable = true;
+        nnf-loopback.enable = true;
+        nnf-ssh.enable = true;
+        nnf-icmp = {
+          enable = true;
+          ipv6Types = ["echo-request" "destination-unreachable" "packet-too-big" "time-exceeded" "parameter-problem" "nd-router-advert" "nd-neighbor-solicit" "nd-neighbor-advert"];
+          ipv4Types = ["echo-request" "destination-unreachable" "router-advertisement" "time-exceeded" "parameter-problem"];
+        };
       };
 
-      rules = lib.mkForce {
-        icmp = {
-          early = true;
-          after = ["ct"];
-          from = "all";
-          to = ["local"];
-          extraLines = [
-            "ip6 nexthdr icmpv6 icmpv6 type { echo-request, destination-unreachable, packet-too-big, time-exceeded, parameter-problem, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept"
-            "ip protocol icmp icmp type { echo-request, destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept"
-            #"ip6 saddr fe80::/10 ip6 daddr fe80::/10 udp dport 546 accept" # (dhcpv6)
-          ];
-        };
+      rules.untrusted-to-local = {
+        from = ["untrusted"];
+        to = ["local"];
 
-        ssh = {
-          early = true;
-          after = ["ct"];
-          from = "all";
-          to = ["local"];
-          allowedTCPPorts = config.services.openssh.ports;
-        };
-
-        untrusted-to-local = {
-          from = ["untrusted"];
-          to = ["local"];
-
-          inherit
-            (config.networking.firewall)
-            allowedTCPPorts
-            allowedUDPPorts
-            ;
-        };
+        inherit
+          (config.networking.firewall)
+          allowedTCPPorts
+          allowedUDPPorts
+          ;
       };
     };
   };

modules/config/resolved.nix

@@ -60,17 +60,11 @@
     );
   in
     lib.mkIf (mdnsInterfaces != []) {
-      # TODO mkForce nftables
-      zones = lib.mkForce {
-        mdns.interfaces = mdnsInterfaces;
-      };
-
-      rules = lib.mkForce {
-        mdns-to-local = {
-          from = ["mdns"];
-          to = ["local"];
-          allowedUDPPorts = [5353];
-        };
+      zones.mdns.interfaces = mdnsInterfaces;
+      rules.mdns-to-local = {
+        from = ["mdns"];
+        to = ["local"];
+        allowedUDPPorts = [5353];
       };
     };
 }

modules/meta/microvms.nix

@@ -190,11 +190,8 @@
             };
           };
 
-        # TODO mkForce nftables
         networking.nftables.firewall = {
-          zones = mkForce {
-            untrusted.interfaces = [vmCfg.networking.mainLinkName];
-          };
+          zones.untrusted.interfaces = [vmCfg.networking.mainLinkName];
         };
 
         meta.wireguard = mkIf vmCfg.localWireguard {

modules/meta/wireguard.nix

@@ -20,7 +20,6 @@
     mapAttrsToList
     mdDoc
     mergeToplevelConfigs
-    mkForce
     mkIf
     mkOption
     net
@@ -134,11 +133,9 @@
       [wgCfg.server.port];
 
     # Open the port in the given nftables rule if specified
-    # TODO mkForce nftables
-    networking.nftables.firewall.rules = mkForce (
+    networking.nftables.firewall.rules =
       optionalAttrs (isServer && wgCfg.server.openFirewallRules != [])
-      (genAttrs wgCfg.server.openFirewallRules (_: {allowedUDPPorts = [wgCfg.server.port];}))
-    );
+      (genAttrs wgCfg.server.openFirewallRules (_: {allowedUDPPorts = [wgCfg.server.port];}));
 
     age.secrets =
       concatAttrs (map