nixos/firewall-nftables: allow adding additional rules to the rpfilter chain

2024-04-04 13:07:52 +02:00 · 2024-04-04 13:07:52 +02:00 · 1eb26d4140
parent 383dbcec8c
commit 1eb26d4140
1 changed files with 18 additions and 0 deletions
--- a/nixos/modules/services/networking/firewall-nftables.nix
+++ b/nixos/modules/services/networking/firewall-nftables.nix
@ -45,6 +45,18 @@ in
          This option only works with the nftables based firewall.
        '';
      };
+
+      extraReversePathFilterRules = mkOption {
+        type = types.lines;
+        default = "";
+        example = "fib daddr . mark . iif type local accept";
+        description = lib.mdDoc ''
+          Additional nftables rules to be appended to the rpfilter-allow
+          chain.
+
+          This option only works with the nftables based firewall.
+        '';
+      };
    };

  };
@ -79,6 +91,8 @@ in
            meta nfproto ipv4 udp sport . udp dport { 67 . 68, 68 . 67 } accept comment "DHCPv4 client/server"
            fib saddr . mark ${optionalString (cfg.checkReversePath != "loose") ". iif"} oif exists accept

+            jump rpfilter-allow
+
            ${optionalString cfg.logReversePathDrops ''
              log level info prefix "rpfilter drop: "
            ''}
@ -86,6 +100,10 @@ in
          }
        ''}

+        chain rpfilter-allow {
+          ${cfg.extraReversePathFilterRules}
+        }
+
        chain input {
          type filter hook input priority filter; policy drop;