nordic-dev.net/nixpkgs
nordic-dev.net/nixpkgs
2
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-11-01 15:11:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

firewall service: respect marks in rpfilter (#39054)

Browse Source 
This allows one to add rules which change a packet's routing table:

iptables -t raw -I PREROUTING 1 -m set --match-set myset src -j MARK --set-mark 2
ip rule add fwmark 2 table 1 priority 1000
ip route add default dev wg0 table 1

to the beginning of raw table PREROUTING chain, and still have rpfilter.
This commit is contained in:
Nikolay Amiantov 2018-08-29 21:50:53 +03:00 committed by xeji
parent 364c5047bc
commit 69407cb013
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
nixos/modules/services/networking/firewall.nix
View File

@ -123,7 +123,7 @@ let
# Perform a reverse-path test to refuse spoofers
# For now, we just drop, as the raw table doesn't have a log-refuse yet
ip46tables -t raw -N nixos-fw-rpfilter 2> /dev/null || true
ip46tables -t raw -A nixos-fw-rpfilter -m rpfilter ${optionalString (cfg.checkReversePath == "loose") "--loose"} -j RETURN
ip46tables -t raw -A nixos-fw-rpfilter -m rpfilter --validmark ${optionalString (cfg.checkReversePath == "loose") "--loose"} -j RETURN
# Allows this host to act as a DHCP4 client without first having to use APIPA
iptables -t raw -A nixos-fw-rpfilter -p udp --sport 67 --dport 68 -j RETURN