pyrox.dev
Merge pull request #301514 from r-vdp/nftables-rpfilter-extra-rules
nixos/firewall-nftables: allow adding additional rules to the rpfilter chain
authored by Pol Dellaiera and committed by GitHub 95d8be4d 193b257c
+18
nixos/modules/services/networking/firewall-nftables.nix
+18
nixos/modules/services/networking/firewall-nftables.nix
···
45
45
This option only works with the nftables based firewall.
46
46
'';
47
47
};
48
+
49
+
extraReversePathFilterRules = mkOption {
50
+
type = types.lines;
51
+
default = "";
52
+
example = "fib daddr . mark . iif type local accept";
53
+
description = lib.mdDoc ''
54
+
Additional nftables rules to be appended to the rpfilter-allow
55
+
chain.
56
+
57
+
This option only works with the nftables based firewall.
58
+
'';
59
+
};
48
60
};
49
61
50
62
};
···
79
91
meta nfproto ipv4 udp sport . udp dport { 67 . 68, 68 . 67 } accept comment "DHCPv4 client/server"
80
92
fib saddr . mark ${optionalString (cfg.checkReversePath != "loose") ". iif"} oif exists accept
81
93
94
+
jump rpfilter-allow
95
+
82
96
${optionalString cfg.logReversePathDrops ''
83
97
log level info prefix "rpfilter drop: "
84
98
''}
85
99
86
100
}
87
101
''}
102
+
103
+
chain rpfilter-allow {
104
+
${cfg.extraReversePathFilterRules}
105
+
}
88
106
89
107
chain input {
90
108
type filter hook input priority filter; policy drop;