Yureka Lilian <yureka@cyberchaos.dev> writes:

> Signed-off-by: Yureka Lilian <yureka@cyberchaos.dev>
> ---
>  vm/sys/net/default.nix             | 13 +++++++++----
>  vm/sys/net/image/etc/fstab         |  2 ++
>  vm/sys/net/image/etc/mdev/iface    | 27 ++++++++-------------------
>  vm/sys/net/image/etc/nftables.conf | 16 ++++++++++++----
>  4 files changed, 31 insertions(+), 27 deletions(-)

Looks good.  Just a couple of small questions.

> diff --git a/vm/sys/net/default.nix b/vm/sys/net/default.nix
> index c7ae88e..fd5bf08 100644
> --- a/vm/sys/net/default.nix
> +++ b/vm/sys/net/default.nix
> @@ -2,12 +2,12 @@
>  # SPDX-FileCopyrightText: 2021-2023 Alyssa Ross <hi@alyssa.is>
>  
>  import ../../../lib/call-package.nix (
> -{ spectrum-build-tools, src, terminfo, pkgsMusl }:
> +{ spectrum-build-tools, spectrum-driver-tools, src, terminfo, pkgsMusl }:

We're taking this from the default package set, where it's built with
Glibc — presumably it should be built with musl like everything else in
the VM?

> diff --git a/vm/sys/net/image/etc/nftables.conf b/vm/sys/net/image/etc/nftables.conf
> index 296d92c..cc8e462 100644
> --- a/vm/sys/net/image/etc/nftables.conf
> +++ b/vm/sys/net/image/etc/nftables.conf
> @@ -1,8 +1,16 @@
>  # SPDX-License-Identifier: EUPL-1.2+
> -# SPDX-FileCopyrightText: 2021 Alyssa Ross <hi@alyssa.is>
> +# SPDX-FileCopyrightText: 2025 Yureka Lilian <yureka@cyberchaos.dev>
>  
> -table nat {
> -	chain postrouting {
> -		type nat hook postrouting priority 100;
> +table driver-fw {
> +	chain input {
> +		type filter hook input priority filter; policy drop;
> +	}
> +
> +	chain output {
> +		type filter hook output priority filter; policy drop;
> +	}
> +
> +	chain forward {
> +		type filter hook forward priority filter; policy drop;
>  	}
>  }

As someone with basically no netfilter experience, I'm surprised to not
see a newline after a semicolon.  Is that idiomatic for netfilter?