colin/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nixos/firewall-nftables: allow adding additional rules to the rpfilter chain

Browse Source
This commit is contained in:
r-vdp 2024-04-04 13:07:52 +02:00
parent 383dbcec8c
commit 1eb26d4140
No known key found for this signature in database
1 changed files with 18 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
nixos/modules/services/networking/firewall-nftables.nix
View File

@ -45,6 +45,18 @@ in
This option only works with the nftables based firewall. This option only works with the nftables based firewall.
''; '';
}; };
extraReversePathFilterRules = mkOption {
type = types.lines;
default = "";
example = "fib daddr . mark . iif type local accept";
description = lib.mdDoc ''
Additional nftables rules to be appended to the rpfilter-allow
chain.
This option only works with the nftables based firewall.
'';
};
}; };
}; };
@ -79,6 +91,8 @@ in
meta nfproto ipv4 udp sport . udp dport { 67 . 68, 68 . 67 } accept comment "DHCPv4 client/server" meta nfproto ipv4 udp sport . udp dport { 67 . 68, 68 . 67 } accept comment "DHCPv4 client/server"
fib saddr . mark ${optionalString (cfg.checkReversePath != "loose") ". iif"} oif exists accept fib saddr . mark ${optionalString (cfg.checkReversePath != "loose") ". iif"} oif exists accept
jump rpfilter-allow
${optionalString cfg.logReversePathDrops '' ${optionalString cfg.logReversePathDrops ''
log level info prefix "rpfilter drop: " log level info prefix "rpfilter drop: "
''} ''}
@ -86,6 +100,10 @@ in
} }
''} ''}
chain rpfilter-allow {
${cfg.extraReversePathFilterRules}
}
chain input { chain input {
type filter hook input priority filter; policy drop; type filter hook input priority filter; policy drop;