feat: add lo default rule

module.nix

@@ -114,6 +114,11 @@ let
             description = "Accept ICMP echo requests (\"pings\").";
             default = false;
           };
+
+          lo = lib.mkOption {
+            type = lib.types.bool;
+            description = "Accept traffic from `lo` (loopback). Applies if type = filter && hook = input.";
+          };
         };
       };
 
@@ -141,6 +146,8 @@ let
             ];
 
           icmpv6 = config.type == "filter" && config.hook == "input";
+
+          lo = config.type == "filter" && config.hook == "input";
         };
 
         rules = lib.mkBefore (
@@ -154,6 +161,7 @@ let
             "icmp type echo-request accept"
             "icmpv6 type echo-request accept"
           ]
+          ++ lib.optionals config.defaultRules.lo [ "iif lo accept" ]
         );
       };
     };

nixos-options-combined.md

@@ -519,6 +519,22 @@ Accept basic ICMPv6 request types\. Applies if type = filter \&\& hook = input\.
 
 
 
+*Type:*
+boolean
+
+*Declared by:*
+ - [module\.nix](https://git.defelo.de/Defelo/nfnix/src/branch/main/module\.nix)
+
+
+
+## networking\.nftables\.tables\.\<name>\.chains\.\<name>\.defaultRules\.lo
+
+
+
+Accept traffic from ` lo ` (loopback)\. Applies if type = filter \&\& hook = input\.
+
+
+
 *Type:*
 boolean
 

nixos-options.md

@@ -142,6 +142,22 @@ Accept basic ICMPv6 request types\. Applies if type = filter \&\& hook = input\.
 
 
 
+*Type:*
+boolean
+
+*Declared by:*
+ - [module\.nix](https://git.defelo.de/Defelo/nfnix/src/branch/main/module\.nix)
+
+
+
+## networking\.nftables\.tables\.\<name>\.chains\.\<name>\.defaultRules\.lo
+
+
+
+Accept traffic from ` lo ` (loopback)\. Applies if type = filter \&\& hook = input\.
+
+
+
 *Type:*
 boolean