mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-12-29 00:53:57 +00:00
361fde84f9
The inclusion of the "meta ipsec" rule in the default reverse path
filtering breaks systems not built with specific XFRM kernel config
options. Specifically CONFIG_XFRM must be set, which gets selected
by CONFIG_NFT_XFRM, which is hidden behind CONFIG_XFRM_USER.
These options are not selected by default in most defconfig's provided
by the kernel with the exception of some device-specific defconfigs.
These options are not set by the nix kernel common_config, and I would
argue that IPSec support does not belong in a minimal kernel as that
elevates its support status above other in-kernel VPN interfaces.
The contributor of this feature does not seem interested in working
towards a solution that does not break systems running kernels built
with "autoModules = false" while supporting this feature, and as this
silently breaks firewalls into an insecure state and poses an immediate
security issue I propose this be reverted until a solution that does not
break such systems is proposed.
https://github.com/NixOS/nixpkgs/pull/310857#discussion_r1742834970
Devices used as firewalls, if they do not have the required kernel
config, will fail to load the new firewall rules and will upon boot pass
traffic without any filtering into the internal network.
Devices exposed directly to the internet, after reboot, will boot
without filtering potentially exposing services not intended to be
exposed to the internet, such as databases.
The following platforms in nixpkgs appear to be impacted:
- pc_simplekernel
- pogoplug4
- sheevaplug
- zero-gravitas
- zero-sugar
- utilite
- guruplug
- beaglebone
- fuloong2f_n32
References to hardware without autoModules can be found in
nixos-hardware, as well as in active third-party repos on github.
I suspect there are other users impacted that do not have their configurations
public, as autoModules = true leads to long compile times when targeting
kernels to less standard hardware or hardware with quirks that require
patches that cannot be upstreamed.
This reverts commit 3c12ef3f21.
193 lines
5.9 KiB
Nix
193 lines
5.9 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
|
|
with lib;
|
|
|
|
let
|
|
|
|
cfg = config.networking.firewall;
|
|
|
|
ifaceSet = concatStringsSep ", " (
|
|
map (x: ''"${x}"'') cfg.trustedInterfaces
|
|
);
|
|
|
|
portsToNftSet = ports: portRanges: concatStringsSep ", " (
|
|
map (x: toString x) ports
|
|
++ map (x: "${toString x.from}-${toString x.to}") portRanges
|
|
);
|
|
|
|
in
|
|
|
|
{
|
|
|
|
options = {
|
|
|
|
networking.firewall = {
|
|
extraInputRules = mkOption {
|
|
type = types.lines;
|
|
default = "";
|
|
example = "ip6 saddr { fc00::/7, fe80::/10 } tcp dport 24800 accept";
|
|
description = ''
|
|
Additional nftables rules to be appended to the input-allow
|
|
chain.
|
|
|
|
This option only works with the nftables based firewall.
|
|
'';
|
|
};
|
|
|
|
extraForwardRules = mkOption {
|
|
type = types.lines;
|
|
default = "";
|
|
example = "iifname wg0 accept";
|
|
description = ''
|
|
Additional nftables rules to be appended to the forward-allow
|
|
chain.
|
|
|
|
This option only works with the nftables based firewall.
|
|
'';
|
|
};
|
|
|
|
extraReversePathFilterRules = mkOption {
|
|
type = types.lines;
|
|
default = "";
|
|
example = "fib daddr . mark . iif type local accept";
|
|
description = ''
|
|
Additional nftables rules to be appended to the rpfilter-allow
|
|
chain.
|
|
|
|
This option only works with the nftables based firewall.
|
|
'';
|
|
};
|
|
};
|
|
|
|
};
|
|
|
|
config = mkIf (cfg.enable && config.networking.nftables.enable) {
|
|
|
|
assertions = [
|
|
{
|
|
assertion = cfg.extraCommands == "";
|
|
message = "extraCommands is incompatible with the nftables based firewall: ${cfg.extraCommands}";
|
|
}
|
|
{
|
|
assertion = cfg.extraStopCommands == "";
|
|
message = "extraStopCommands is incompatible with the nftables based firewall: ${cfg.extraStopCommands}";
|
|
}
|
|
{
|
|
assertion = cfg.pingLimit == null || !(hasPrefix "--" cfg.pingLimit);
|
|
message = "nftables syntax like \"2/second\" should be used in networking.firewall.pingLimit";
|
|
}
|
|
{
|
|
assertion = config.networking.nftables.rulesetFile == null;
|
|
message = "networking.nftables.rulesetFile conflicts with the firewall";
|
|
}
|
|
];
|
|
|
|
networking.nftables.tables."nixos-fw".family = "inet";
|
|
networking.nftables.tables."nixos-fw".content = ''
|
|
${optionalString (cfg.checkReversePath != false) ''
|
|
chain rpfilter {
|
|
type filter hook prerouting priority mangle + 10; policy drop;
|
|
|
|
meta nfproto ipv4 udp sport . udp dport { 67 . 68, 68 . 67 } accept comment "DHCPv4 client/server"
|
|
fib saddr . mark ${optionalString (cfg.checkReversePath != "loose") ". iif"} oif exists accept
|
|
|
|
jump rpfilter-allow
|
|
|
|
${optionalString cfg.logReversePathDrops ''
|
|
log level info prefix "rpfilter drop: "
|
|
''}
|
|
|
|
}
|
|
''}
|
|
|
|
chain rpfilter-allow {
|
|
${cfg.extraReversePathFilterRules}
|
|
}
|
|
|
|
chain input {
|
|
type filter hook input priority filter; policy drop;
|
|
|
|
${optionalString (ifaceSet != "") ''iifname { ${ifaceSet} } accept comment "trusted interfaces"''}
|
|
|
|
# Some ICMPv6 types like NDP is untracked
|
|
ct state vmap {
|
|
invalid : drop,
|
|
established : accept,
|
|
related : accept,
|
|
new : jump input-allow,
|
|
untracked: jump input-allow,
|
|
}
|
|
|
|
${optionalString cfg.logRefusedConnections ''
|
|
tcp flags syn / fin,syn,rst,ack log level info prefix "refused connection: "
|
|
''}
|
|
${optionalString (cfg.logRefusedPackets && !cfg.logRefusedUnicastsOnly) ''
|
|
pkttype broadcast log level info prefix "refused broadcast: "
|
|
pkttype multicast log level info prefix "refused multicast: "
|
|
''}
|
|
${optionalString cfg.logRefusedPackets ''
|
|
pkttype host log level info prefix "refused packet: "
|
|
''}
|
|
|
|
${optionalString cfg.rejectPackets ''
|
|
meta l4proto tcp reject with tcp reset
|
|
reject
|
|
''}
|
|
|
|
}
|
|
|
|
chain input-allow {
|
|
|
|
${concatStrings (mapAttrsToList (iface: cfg:
|
|
let
|
|
ifaceExpr = optionalString (iface != "default") "iifname ${iface}";
|
|
tcpSet = portsToNftSet cfg.allowedTCPPorts cfg.allowedTCPPortRanges;
|
|
udpSet = portsToNftSet cfg.allowedUDPPorts cfg.allowedUDPPortRanges;
|
|
in
|
|
''
|
|
${optionalString (tcpSet != "") "${ifaceExpr} tcp dport { ${tcpSet} } accept"}
|
|
${optionalString (udpSet != "") "${ifaceExpr} udp dport { ${udpSet} } accept"}
|
|
''
|
|
) cfg.allInterfaces)}
|
|
|
|
${optionalString cfg.allowPing ''
|
|
icmp type echo-request ${optionalString (cfg.pingLimit != null) "limit rate ${cfg.pingLimit}"} accept comment "allow ping"
|
|
''}
|
|
|
|
icmpv6 type != { nd-redirect, 139 } accept comment "Accept all ICMPv6 messages except redirects and node information queries (type 139). See RFC 4890, section 4.4."
|
|
ip6 daddr fe80::/64 udp dport 546 accept comment "DHCPv6 client"
|
|
|
|
${cfg.extraInputRules}
|
|
|
|
}
|
|
|
|
${optionalString cfg.filterForward ''
|
|
chain forward {
|
|
type filter hook forward priority filter; policy drop;
|
|
|
|
ct state vmap {
|
|
invalid : drop,
|
|
established : accept,
|
|
related : accept,
|
|
new : jump forward-allow,
|
|
untracked : jump forward-allow,
|
|
}
|
|
|
|
}
|
|
|
|
chain forward-allow {
|
|
|
|
icmpv6 type != { router-renumbering, 139 } accept comment "Accept all ICMPv6 messages except renumbering and node information queries (type 139). See RFC 4890, section 4.3."
|
|
|
|
ct status dnat accept comment "allow port forward"
|
|
|
|
${cfg.extraForwardRules}
|
|
|
|
}
|
|
''}
|
|
'';
|
|
|
|
};
|
|
|
|
}
|