pyrox.dev / nixpkgs
lol
fork atom

nixos/firewall: move rpfilter from raw to mangle

fix wireguard (wg-quick)

netfilter packet flow:
raw.prerouting -> conntrack -> mangle.prerouting

rpfilter must be after conntrack
otherwise response packets are dropped

Milan Hauth a1e9f1e0 be22a05c

options
unified split
Changed files
+13 -16
nixos
modules
services
networking
firewall.nix
wg-quick.nix
+13 -13
nixos/modules/services/networking/firewall.nix 
···

       
16

       
16

       
 

       
     certain packets anyway, you can insert rules at the start of


     

       
17

       
17

       
 

       
     this chain.


     

       
18

       
18

       
 

       



     

       
19

       

       
-

       
   - ‘nixos-fw-rpfilter’ is used as the main chain in the raw table,


     

       

       
19

       
+

       
   - ‘nixos-fw-rpfilter’ is used as the main chain in the mangle table,


     

       
20

       
20

       
 

       
     called from the built-in ‘PREROUTING’ chain.  If the kernel


     

       
21

       
21

       
 

       
     supports it and `cfg.checkReversePath` is set this chain will


     

       
22

       
22

       
 

       
     perform a reverse path filter test.


     
···

       
109

       
109

       
 

       
    ip46tables -N nixos-fw


     

       
110

       
110

       
 

       



     

       
111

       
111

       
 

       
    # Clean up rpfilter rules


     

       
112

       

       
-

       
    ip46tables -t raw -D PREROUTING -j nixos-fw-rpfilter 2> /dev/null || true


     

       
113

       

       
-

       
    ip46tables -t raw -F nixos-fw-rpfilter 2> /dev/null || true


     

       
114

       

       
-

       
    ip46tables -t raw -X nixos-fw-rpfilter 2> /dev/null || true


     

       

       
112

       
+

       
    ip46tables -t mangle -D PREROUTING -j nixos-fw-rpfilter 2> /dev/null || true


     

       

       
113

       
+

       
    ip46tables -t mangle -F nixos-fw-rpfilter 2> /dev/null || true


     

       

       
114

       
+

       
    ip46tables -t mangle -X nixos-fw-rpfilter 2> /dev/null || true


     

       
115

       
115

       
 

       



     

       
116

       
116

       
 

       
    ${optionalString (kernelHasRPFilter && (cfg.checkReversePath != false)) ''


     

       
117

       
117

       
 

       
      # Perform a reverse-path test to refuse spoofers


     

       
118

       

       
-

       
      # For now, we just drop, as the raw table doesn't have a log-refuse yet


     

       
119

       

       
-

       
      ip46tables -t raw -N nixos-fw-rpfilter 2> /dev/null || true


     

       
120

       

       
-

       
      ip46tables -t raw -A nixos-fw-rpfilter -m rpfilter --validmark ${optionalString (cfg.checkReversePath == "loose") "--loose"} -j RETURN


     

       

       
118

       
+

       
      # For now, we just drop, as the mangle table doesn't have a log-refuse yet


     

       

       
119

       
+

       
      ip46tables -t mangle -N nixos-fw-rpfilter 2> /dev/null || true


     

       

       
120

       
+

       
      ip46tables -t mangle -A nixos-fw-rpfilter -m rpfilter --validmark ${optionalString (cfg.checkReversePath == "loose") "--loose"} -j RETURN


     

       
121

       
121

       
 

       



     

       
122

       
122

       
 

       
      # Allows this host to act as a DHCP4 client without first having to use APIPA


     

       
123

       

       
-

       
      iptables -t raw -A nixos-fw-rpfilter -p udp --sport 67 --dport 68 -j RETURN


     

       

       
123

       
+

       
      iptables -t mangle -A nixos-fw-rpfilter -p udp --sport 67 --dport 68 -j RETURN


     

       
124

       
124

       
 

       



     

       
125

       
125

       
 

       
      # Allows this host to act as a DHCPv4 server


     

       
126

       

       
-

       
      iptables -t raw -A nixos-fw-rpfilter -s 0.0.0.0 -d 255.255.255.255 -p udp --sport 68 --dport 67 -j RETURN


     

       

       
126

       
+

       
      iptables -t mangle -A nixos-fw-rpfilter -s 0.0.0.0 -d 255.255.255.255 -p udp --sport 68 --dport 67 -j RETURN


     

       
127

       
127

       
 

       



     

       
128

       
128

       
 

       
      ${optionalString cfg.logReversePathDrops ''


     

       
129

       

       
-

       
        ip46tables -t raw -A nixos-fw-rpfilter -j LOG --log-level info --log-prefix "rpfilter drop: "


     

       

       
129

       
+

       
        ip46tables -t mangle -A nixos-fw-rpfilter -j LOG --log-level info --log-prefix "rpfilter drop: "


     

       
130

       
130

       
 

       
      ''}


     

       
131

       

       
-

       
      ip46tables -t raw -A nixos-fw-rpfilter -j DROP


     

       

       
131

       
+

       
      ip46tables -t mangle -A nixos-fw-rpfilter -j DROP


     

       
132

       
132

       
 

       



     

       
133

       

       
-

       
      ip46tables -t raw -A PREROUTING -j nixos-fw-rpfilter


     

       

       
133

       
+

       
      ip46tables -t mangle -A PREROUTING -j nixos-fw-rpfilter


     

       
134

       
134

       
 

       
    ''}


     

       
135

       
135

       
 

       



     

       
136

       
136

       
 

       
    # Accept all traffic on the trusted interfaces.


     
···

       
218

       
218

       
 

       
    ip46tables -D INPUT -j nixos-fw 2>/dev/null || true


     

       
219

       
219

       
 

       



     

       
220

       
220

       
 

       
    ${optionalString (kernelHasRPFilter && (cfg.checkReversePath != false)) ''


     

       
221

       

       
-

       
      ip46tables -t raw -D PREROUTING -j nixos-fw-rpfilter 2>/dev/null || true


     

       

       
221

       
+

       
      ip46tables -t mangle -D PREROUTING -j nixos-fw-rpfilter 2>/dev/null || true


     

       
222

       
222

       
 

       
    ''}


     

       
223

       
223

       
 

       



     

       
224

       
224

       
 

       
    ${cfg.extraStopCommands}
-3
nixos/modules/services/networking/wg-quick.nix 
···

       
328

       
328

       
 

       
  config = mkIf (cfg.interfaces != {}) {


     

       
329

       
329

       
 

       
    boot.extraModulePackages = optional (versionOlder kernel.kernel.version "5.6") kernel.wireguard;


     

       
330

       
330

       
 

       
    environment.systemPackages = [ pkgs.wireguard-tools ];


     

       
331

       

       
-

       
    # This is forced to false for now because the default "--validmark" rpfilter we apply on reverse path filtering


     

       
332

       

       
-

       
    # breaks the wg-quick routing because wireguard packets leave with a fwmark from wireguard.


     

       
333

       

       
-

       
    networking.firewall.checkReversePath = false;


     

       
334

       
331

       
 

       
    systemd.services = mapAttrs' generateUnit cfg.interfaces;


     

       
335

       
332

       
 

       



     

       
336

       
333

       
 

       
    # Prevent networkd from clearing the rules set by wg-quick when restarted (e.g. when waking up from suspend).