| 27 Jul 2025 |
 antifuchs | (The readme is more cautious about promises it makes about the functionality there; I’ve been using this for like a year or two and it has pretty good e2e tests. I’d say it’s pretty ready for prime time (:) | 01:16:34 |
| antifuchs | (I ought to update that readme section, it predates me actually thinking about most of these things and either writing tests or relying on them heavily and then writing a test, lol) | 01:21:34 |
 ElvishJerricco | antifuchs: yea, that ended up being really easy to set up, and it does pretty much exactly what I was looking for. Sweet. | 06:13:12 |
| ElvishJerricco | I still will probably eventually end up doing all the custom DNS type stuff they were talking about before but that's more effort and now I can put that off longer :P | 06:13:34 |
|  sodiboo joined the room. | 13:17:46 |
| 28 Jul 2025 |
 emily | https://github.com/systemd/systemd/commit/5c68c51045c27d77b7afc211df7304a958d8cf24 | 13:32:24 |
| emily | 🪦 | 13:32:33 |
| emily | we should probably kill off some of our iptables detritus | 13:34:21 |
| emily | though probably much of it will die with scripted networking already | 13:34:50 |
| emily | wow apparently Docker still does not support nftables | 13:35:10 |
| emily |
Our initial plan was to include nftables support in v29, but it's not going to make it as the first RC is scheduled for July 10 (although this date might slip). The implementation itself is in good shape, but it needs thorough review before it can be merged and released. We've an Epic open here to track the work left: moby/moby#49634.
| 13:35:22 |
| emily | thankfully they have an Epic | 13:35:26 |
 magic_rb | No it doesnt, along with "youd be surprised how many things" | 13:35:35 |
| emily | hopefully it will achieve For the Win status in a timely manner | 13:35:37 |
| magic_rb | In reply to @emilazy:matrix.org
we should probably kill off some of our iptables detritus Yes please, lets kill it with fire, its 2025 | 13:36:01 |
| emily | frankly the NixOS firewall probably just does not work well with half of them anyway | 13:36:04 |
| emily | but I expect we can kill any remaining iptables nonsense at the same time as scripted networking | 13:36:21 |
| emily | also it would be real nice to use firewalld or something instead of homegrown stuff for that | 13:36:35 |
| emily | but that's another whole project | 13:36:37 |
| magic_rb | Id say no firewall works well with them because interoperability at the iptables/nftables level is grossly at the wrong level, but thats another separate rant | 13:37:02 |
 Molly Miller | getting docker to work with scripted networking and iptables is a bit painful but doable | 13:38:20 |
| Molly Miller | (ask me how i know, etc etc) | 13:38:30 |
| magic_rb | I personally gave up, i put k3s (containerd) into a separate network namespace and do the firewalling on the outside | 13:39:17 |
 Marcel | Ifstate is not in the release phase for V2 so I am preparing to upstream the nix module to nixpkgs. The question is if the options should be under networking.ifstate or services.ifstate or somewhere different? That's hot it's currently done in my flake: https://search.nüschtos.de/?scope=IfState.nix | 16:01:33 |
| Marcel | * | 16:01:58 |
| Marcel | * | 16:02:08 |
| Marcel | * | 16:02:33 |
| Marcel | * Ifstate is now in the release candidate phase for V2 so I am preparing to upstream the nix module to nixpkgs. The question is if the options should be under networking.ifstate or services.ifstate or somewhere different? That's how it's currently done in my flake: https://search.nüschtos.de/?scope=IfState.nix
Services.ifstate might not be optimal because it's not a daemon and only runs on boot or rebuild
| 16:03:46 |
 adamcstephens | networking.ifstate seems reasonable to me | 16:06:06 |
 Zhaofeng Li | interesting, what's your setup like? I might do something similar, but for the wrong reasons :p | 16:13:06 |
