Enable nftables

hosts/aluminium/configuration.nix

@@ -1,9 +1,5 @@
 { config, lib, pkgs, ... }:
 
-let
-  iptablesAppendIfMissing = rule: "iptables -C " + rule + " || iptables -A " + rule;
-  iptablesInsertIfMissing = rule: "iptables -C " + rule + " || iptables -I " + rule;
-in
 {
   imports = [
     ./hardware-configuration.nix
@@ -78,13 +74,13 @@ in
         "voice"
       ];
     };
-    firewall = {
-      extraCommands = lib.concatStringsSep "\n" [
-        (iptablesAppendIfMissing "FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu")
-        (iptablesInsertIfMissing "INPUT -i voice -p udp -m udp --dport 5060 -j ACCEPT")
-        (iptablesInsertIfMissing "INPUT -s 217.10.68.150 -p udp --dport 5060 -j ACCEPT")
-      ];
-    };
+    firewall.extraForwardRules = ''
+      tcp flags syn tcp option maxseg size set rt mtu
+    '';
+    firewall.extraInputRules = ''
+      iifname "voice" udp dport 5059 accept
+      ip saddr 217.10.68.150 udp dport 5060 accept
+    '';
   };
 
 

hosts/iron/configuration.nix

@@ -29,7 +29,6 @@ let
     biosBoot = "-part4";
   };
   efiSystemPartitions = (map (diskName: diskName + partitionScheme.efiBoot) disks);
-  iptablesAppendIfMissing = rule: "iptables -C " + rule + " || iptables -A " + rule;
 in
 with lib; {
   imports = [
@@ -75,11 +74,9 @@ with lib; {
         ];
       };
 
-      firewall = {
-        extraCommands = lib.concatStringsSep "\n" [
-          (iptablesAppendIfMissing "FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu")
-        ];
-      };
+      firewall.extraForwardRules = ''
+        tcp flags syn tcp option maxseg size set rt mtu
+      '';
     };
 
     services.radvd = {

modules/networking/default.nix

@@ -8,4 +8,6 @@
   ];
 
   networking.firewall.logRefusedConnections = lib.mkDefault false;
+
+  networking.nftables.enable = true;
 }