From 28d32452017df6d8b0308623ea1866c87ca3c5e8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andr=C3=A9=20Lima?= <me@limwa.pt>
Date: Sun, 10 Aug 2025 19:42:24 +0100
Subject: [PATCH] nixos/libvirtd: allow changing firewall backend

---
 .../manual/release-notes/rl-2511.section.md   |  1 +
 nixos/modules/virtualisation/libvirtd.nix     | 19 +++++++++++++++++++
 2 files changed, 20 insertions(+)

diff --git a/nixos/doc/manual/release-notes/rl-2511.section.md b/nixos/doc/manual/release-notes/rl-2511.section.md
index cf7fff41de48..0e5777a0a0c7 100644
--- a/nixos/doc/manual/release-notes/rl-2511.section.md
+++ b/nixos/doc/manual/release-notes/rl-2511.section.md
@@ -168,6 +168,7 @@
 - `services.gitea` supports sending notifications with sendmail again. To do this, activate the parameter `services.gitea.mailerUseSendmail` and configure SMTP server.
 
 - `libvirt` now supports using `nftables` backend.
+  - The `virtualisation.libvirtd.firewallBackend` option can be used to configure the firewall backend used by libvirtd.
 
 - `systemd.extraConfig` and `boot.initrd.systemd.extraConfig` was converted to RFC42-style `systemd.settings.Manager` and `boot.initrd.systemd.settings.Manager` respectively.
   - `systemd.watchdog.runtimeTime` was renamed to `systemd.settings.Manager.RuntimeWatchdogSec`
diff --git a/nixos/modules/virtualisation/libvirtd.nix b/nixos/modules/virtualisation/libvirtd.nix
index 4eac848e68a8..a8cb398d52d4 100644
--- a/nixos/modules/virtualisation/libvirtd.nix
+++ b/nixos/modules/virtualisation/libvirtd.nix
@@ -31,6 +31,10 @@ let
     ''}
     ${cfg.qemu.verbatimConfig}
   '';
+  networkConfigFile = pkgs.writeText "network.conf" ''
+    firewall_backend = "${cfg.firewallBackend}"
+  '';
+
   dirName = "libvirt";
   subDirs = list: [ dirName ] ++ map (e: "${dirName}/${e}") list;
 
@@ -385,6 +389,18 @@ in
         Whether to configure OpenSSH to use the [SSH Proxy](https://libvirt.org/ssh-proxy.html).
       '';
     };
+
+    firewallBackend = mkOption {
+      type = types.enum [
+        "iptables"
+        "nftables"
+      ];
+      default = if config.networking.nftables.enable then "nftables" else "iptables";
+      defaultText = lib.literalExpression "if config.networking.nftables.enable then \"nftables\" else \"iptables\"";
+      description = ''
+        The backend used to setup virtual network firewall rules.
+      '';
+    };
   };
 
   ###### implementation
@@ -462,6 +478,9 @@ in
         # Copy generated qemu config to libvirt directory
         cp -f ${qemuConfigFile} /var/lib/${dirName}/qemu.conf
 
+        # Copy generated network config to libvirt directory
+        cp -f ${networkConfigFile} /var/lib/${dirName}/network.conf
+
         # stable (not GC'able as in /nix/store) paths for using in <emulator> section of xml configs
         for emulator in ${cfg.package}/libexec/libvirt_lxc ${cfg.qemu.package}/bin/qemu-kvm ${cfg.qemu.package}/bin/qemu-system-*; do
           ln -s --force "$emulator" /run/${dirName}/nix-emulators/