From cd3af25932425e1b1acfaad9c9ee85694fe70ae6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Maciej=20Kr=C3=BCger?= <mkg20001@gmail.com>
Date: Mon, 26 Dec 2022 00:35:15 +0100
Subject: [PATCH] networking/nftables: enable flushing ruleset for older
 versions
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: Naïm Favier <n@monade.li>
---
 nixos/modules/services/networking/nftables.nix | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/nixos/modules/services/networking/nftables.nix b/nixos/modules/services/networking/nftables.nix
index 4bc115cd580..810dc22a20a 100644
--- a/nixos/modules/services/networking/nftables.nix
+++ b/nixos/modules/services/networking/nftables.nix
@@ -83,6 +83,8 @@ in
       '';
     };
 
+    networking.nftables.flushRuleset = mkEnableOption (lib.mdDoc "Flush the entire ruleset on each reload.");
+
     networking.nftables.ruleset = mkOption {
       type = types.lines;
       default = "";
@@ -209,6 +211,7 @@ in
     boot.blacklistedKernelModules = [ "ip_tables" ];
     environment.systemPackages = [ pkgs.nftables ];
     networking.networkmanager.firewallBackend = mkDefault "nftables";
+    networking.nftables.flushRuleset = mkDefault (versionOlder config.system.stateVersion "23.11");
     systemd.services.nftables = {
       description = "nftables firewall";
       before = [ "network-pre.target" ];
@@ -222,6 +225,7 @@ in
           executable = true;
           text = ''
             #! ${pkgs.nftables}/bin/nft -f
+            ${optionalString cfg.flushRuleset "flush ruleset"}
             ${concatStringsSep "\n" (mapAttrsToList (_: table: ''
               table ${table.family} ${table.name}
               delete table ${table.family} ${table.name}