Previously the assertion passed if the kernel had support OR the
filter was *enabled*. In the case of a kernel without support, the
`checkReversePath` option defaulted to false, and then failed the
assertion.
This allows one to add rules which change a packet's routing table:
iptables -t raw -I PREROUTING 1 -m set --match-set myset src -j MARK --set-mark 2
ip rule add fwmark 2 table 1 priority 1000
ip route add default dev wg0 table 1
to the beginning of raw table PREROUTING chain, and still have rpfilter.
Do cleanup of user-created additional rules.
Of course it'd be much better to just use iptables-{save,restore} for
declarative management, but as it's still not there...
* Fix the FW names
FW_REFUSE was removed and nixos-fw-input was renamed to nixos-fw.
* Update the comment (documentation) at the top
Order the chains of the main table alphabetically (like in the rest of
the file) and add nixos-fw-rpfilter (from the raw table) and nixos-drop
(used while reloading the firewall).
* Refactor the module (mainly comments)
- Move some attributes to the top for better visibility (that should
hopefully make it easier to read and understand this module without
jumping around too much).
- Add some missing examples and improve some descriptions.
- Reorder the mkOption attributes for consistency.
- Wrap lines at 72 characters.
- Use two spaces between sentences.
Follow-up to the following commits:
abdc5961c3: Fix starting the firewall
e090701e2d: Order before sysinit
Solely use sysinit.target here instead of multi-user.target because we
want to make sure that the iptables rules are applied *before* any
socket units are started.
The reason I've dropped the wantedBy on multi-user.target is that
sysinit.target is already a part of the dependency chain of
multi-user.target.
To make sure that this holds true, I've added a small test case to
ensure that during switch of the configuration the firewall.service is
considered as well.
Tested using the firewall NixOS test.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Cc: @edolstra
Probably as a result of 992c514a20, it
was not being started anymore.
My understanding of systemd.special(7) (section "Special passive
system units") is that the firewall should want network-pre.target,
rather than the other way around (not very intuitive...). This in
itself does not cause the firewall to be wanted, which is why the
wanted-by relationship with multi-user.target is necessary.
http://hydra.nixos.org/build/39965589
Adds a new chain in the raw table for reverse path filtering and optional
logging. A rule to allow serving DHCPv4 was also added as it is commonly
needed and poses no security risk even when no DHCPv4 server is running.
Fixes#10101.
This patch fixes https://github.com/NixOS/nixpkgs/issues/12927.
It would be great to configure good rate-limiting defaults for this via
/proc/sys/net/ipv4/icmp_ratelimit and /proc/sys/net/ipv6/icmp/ratelimit,
too, but I didn't since I don't know what a "good default" would be.
- add missing types in module definitions
- add missing 'defaultText' in module definitions
- wrap example with 'literalExample' where necessary in module definitions
Using pkgs.lib on the spine of module evaluation is problematic
because the pkgs argument depends on the result of module
evaluation. To prevent an infinite recursion, pkgs and some of the
modules are evaluated twice, which is inefficient. Using ‘with lib’
prevents this problem.
This prevents errors like "Another app is currently holding the
xtables lock" if the firewall and NAT services are starting in
parallel. (Longer term, we should probably move to a single service
for managing the iptables rules.)
This is useful for packages like mosh, which use a wide UDP port range
by default for incoming connections.
Signed-off-by: Austin Seipp <aseipp@pobox.com>