···
# Perform a reverse-path test to refuse spoofers
# For now, we just drop, as the raw table doesn't have a log-refuse yet
${optionalString (kernelHasRPFilter && cfg.checkReversePath) ''
104
-
if ! ip46tables -A PREROUTING -t raw -m rpfilter --invert -j DROP; then
105
-
echo "<2>failed to initialise rpfilter support" >&2
104
+
# Clean up rpfilter rules
105
+
ip46tables -t raw -D PREROUTING -j nixos-fw-rpfilter 2> /dev/null || true
106
+
ip46tables -t raw -F nixos-fw-rpfilter 2> /dev/null || true
107
+
ip46tables -t raw -N nixos-fw-rpfilter 2> /dev/null || true
109
+
ip46tables -t raw -A nixos-fw-rpfilter -m rpfilter -j RETURN
111
+
# Allows this host to act as a DHCPv4 server
112
+
iptables -t raw -A nixos-fw-rpfilter -s 0.0.0.0 -d 255.255.255.255 -p udp --sport 68 --dport 67 -j RETURN
114
+
${optionalString cfg.logReversePathDrops ''
115
+
ip46tables -t raw -A nixos-fw-rpfilter -j LOG --log-level info --log-prefix "rpfilter drop: "
117
+
ip46tables -t raw -A nixos-fw-rpfilter -j DROP
119
+
ip46tables -t raw -A PREROUTING -j nixos-fw-rpfilter
# Accept all traffic on the trusted interfaces.
···
ip46tables -D INPUT -j nixos-fw 2>/dev/null || true
${optionalString (kernelHasRPFilter && cfg.checkReversePath) ''
191
-
if ! ip46tables -D PREROUTING -t raw -m rpfilter --invert -j DROP; then
192
-
echo "<2>failed to stop rpfilter support" >&2
204
+
ip46tables -t raw -D PREROUTING -j nixos-fw-rpfilter 2>/dev/null || true
···
disable this setting and setup your own counter-measures.
390
+
networking.firewall.logReversePathDrops = mkOption {
395
+
Logs dropped packets failing the reverse path filter test if
396
+
the option networking.firewall.checkReversePath is enabled.
pyrox.dev