commit 76b21b7adb9542747b65c2c95008e55bb9df8ecd

pyrox.dev / nixpkgs

lol

nixos/firewall: Refactor rpfilter, allow DHCPv4 (#17325)

Adds a new chain in the raw table for reverse path filtering and optional
logging. A rule to allow serving DHCPv4 was also added as it is commonly
needed and poses no security risk even when no DHCPv4 server is running.

Fixes #10101.

authored by

Franz Pletz and committed by

GitHub 9 years ago 76b21b7a 5088f24d

+27 -6

1 changed file

expand all

unified split

nixos

modules

services

networking

firewall.nix

+27 -6

nixos/modules/services/networking/firewall.nix

··· 101 101 # Perform a reverse-path test to refuse spoofers 102 102 # For now, we just drop, as the raw table doesn't have a log-refuse yet 103 103 ${optionalString (kernelHasRPFilter && cfg.checkReversePath) '' 104 - if ! ip46tables -A PREROUTING -t raw -m rpfilter --invert -j DROP; then 105 - echo "<2>failed to initialise rpfilter support" >&2 106 - fi 104 + # Clean up rpfilter rules 105 + ip46tables -t raw -D PREROUTING -j nixos-fw-rpfilter 2> /dev/null || true 106 + ip46tables -t raw -F nixos-fw-rpfilter 2> /dev/null || true 107 + ip46tables -t raw -N nixos-fw-rpfilter 2> /dev/null || true 108 + 109 + ip46tables -t raw -A nixos-fw-rpfilter -m rpfilter -j RETURN 110 + 111 + # Allows this host to act as a DHCPv4 server 112 + iptables -t raw -A nixos-fw-rpfilter -s 0.0.0.0 -d 255.255.255.255 -p udp --sport 68 --dport 67 -j RETURN 113 + 114 + ${optionalString cfg.logReversePathDrops '' 115 + ip46tables -t raw -A nixos-fw-rpfilter -j LOG --log-level info --log-prefix "rpfilter drop: " 116 + ''} 117 + ip46tables -t raw -A nixos-fw-rpfilter -j DROP 118 + 119 + ip46tables -t raw -A PREROUTING -j nixos-fw-rpfilter 107 120 ''} 108 121 109 122 # Accept all traffic on the trusted interfaces. ··· 188 201 ip46tables -D INPUT -j nixos-fw 2>/dev/null || true 189 202 190 203 ${optionalString (kernelHasRPFilter && cfg.checkReversePath) '' 191 - if ! ip46tables -D PREROUTING -t raw -m rpfilter --invert -j DROP; then 192 - echo "<2>failed to stop rpfilter support" >&2 193 - fi 204 + ip46tables -t raw -D PREROUTING -j nixos-fw-rpfilter 2>/dev/null || true 194 205 ''} 195 206 196 207 ${cfg.extraStopCommands} ··· 373 384 disable this setting and setup your own counter-measures. 374 385 375 386 (needs kernel 3.3+) 387 + ''; 388 + }; 389 + 390 + networking.firewall.logReversePathDrops = mkOption { 391 + default = false; 392 + type = types.bool; 393 + description = 394 + '' 395 + Logs dropped packets failing the reverse path filter test if 396 + the option networking.firewall.checkReversePath is enabled. 376 397 ''; 377 398 }; 378 399