Merge pull request #301514 from r-vdp/nftables-rpfilter-extra-rules
nixos/firewall-nftables: allow adding additional rules to the rpfilter chain
This commit is contained in:
commit
95d8be4d3c
@ -45,6 +45,18 @@ in
|
||||
This option only works with the nftables based firewall.
|
||||
'';
|
||||
};
|
||||
|
||||
extraReversePathFilterRules = mkOption {
|
||||
type = types.lines;
|
||||
default = "";
|
||||
example = "fib daddr . mark . iif type local accept";
|
||||
description = lib.mdDoc ''
|
||||
Additional nftables rules to be appended to the rpfilter-allow
|
||||
chain.
|
||||
|
||||
This option only works with the nftables based firewall.
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
};
|
||||
@ -79,6 +91,8 @@ in
|
||||
meta nfproto ipv4 udp sport . udp dport { 67 . 68, 68 . 67 } accept comment "DHCPv4 client/server"
|
||||
fib saddr . mark ${optionalString (cfg.checkReversePath != "loose") ". iif"} oif exists accept
|
||||
|
||||
jump rpfilter-allow
|
||||
|
||||
${optionalString cfg.logReversePathDrops ''
|
||||
log level info prefix "rpfilter drop: "
|
||||
''}
|
||||
@ -86,6 +100,10 @@ in
|
||||
}
|
||||
''}
|
||||
|
||||
chain rpfilter-allow {
|
||||
${cfg.extraReversePathFilterRules}
|
||||
}
|
||||
|
||||
chain input {
|
||||
type filter hook input priority filter; policy drop;
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user