nixos/firewall: assert that the kernel supports conntrack helper auto-loading

2025-07-13 21:50:33 +03:00 · 2023-03-04 10:50:13 +03:00 · 2023-03-04 10:50:13 +03:00 · 18f85de76d
commit 18f85de76d
parent 2eeefe41f5
2 changed files with 6 additions and 0 deletions
--- a/nixos/modules/services/networking/firewall.nix
+++ b/nixos/modules/services/networking/firewall.nix
@ -269,6 +269,10 @@ in
        assertion = cfg.filterForward -> config.networking.nftables.enable;
        message = "filterForward only works with the nftables based firewall";
      }
+      {
+        assertion = cfg.autoLoadConntrackHelpers -> lib.versionOlder config.boot.kernelPackages.kernel.version "6";
+        message = "conntrack helper autoloading has been removed from kernel 6.0 and newer";
+      }
    ];

    networking.firewall.trustedInterfaces = [ "lo" ];