Merge pull request #301514 from r-vdp/nftables-rpfilter-extra-rules

nixos/firewall-nftables: allow adding additional rules to the rpfilter chain
This commit is contained in:
Pol Dellaiera 2024-04-21 23:02:01 +02:00 committed by GitHub
commit 95d8be4d3c
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194

View File

@ -45,6 +45,18 @@ in
This option only works with the nftables based firewall.
'';
};
extraReversePathFilterRules = mkOption {
type = types.lines;
default = "";
example = "fib daddr . mark . iif type local accept";
description = lib.mdDoc ''
Additional nftables rules to be appended to the rpfilter-allow
chain.
This option only works with the nftables based firewall.
'';
};
};
};
@ -79,6 +91,8 @@ in
meta nfproto ipv4 udp sport . udp dport { 67 . 68, 68 . 67 } accept comment "DHCPv4 client/server"
fib saddr . mark ${optionalString (cfg.checkReversePath != "loose") ". iif"} oif exists accept
jump rpfilter-allow
${optionalString cfg.logReversePathDrops ''
log level info prefix "rpfilter drop: "
''}
@ -86,6 +100,10 @@ in
}
''}
chain rpfilter-allow {
${cfg.extraReversePathFilterRules}
}
chain input {
type filter hook input priority filter; policy drop;