Loading nixos/modules/services/networking/firewall-iptables.nix +3 −0 Original line number Diff line number Diff line Loading @@ -123,6 +123,9 @@ let # Allows this host to act as a DHCP4 client without first having to use APIPA iptables -t mangle -A nixos-fw-rpfilter -p udp --sport 67 --dport 68 -j RETURN # Allows decrypted packets from an IPsec VPN ip46tables -t mangle -A nixos-fw-rpfilter -m policy --dir in --pol ipsec -j RETURN # Allows this host to act as a DHCPv4 server iptables -t mangle -A nixos-fw-rpfilter -s 0.0.0.0 -d 255.255.255.255 -p udp --sport 68 --dport 67 -j RETURN Loading nixos/modules/services/networking/firewall-nftables.nix +6 −0 Original line number Diff line number Diff line Loading @@ -82,6 +82,11 @@ in } ]; networking.nftables.preCheckRuleset = '' # can't validate IPsec rules sed '/meta ipsec/d' -i ruleset.conf ''; networking.nftables.tables."nixos-fw".family = "inet"; networking.nftables.tables."nixos-fw".content = '' ${optionalString (cfg.checkReversePath != false) '' Loading @@ -89,6 +94,7 @@ in type filter hook prerouting priority mangle + 10; policy drop; meta nfproto ipv4 udp sport . udp dport { 67 . 68, 68 . 67 } accept comment "DHCPv4 client/server" meta ipsec exists accept comment "decrypted packets from an IPsec VPN" fib saddr . mark ${optionalString (cfg.checkReversePath != "loose") ". iif"} oif exists accept jump rpfilter-allow Loading Loading
nixos/modules/services/networking/firewall-iptables.nix +3 −0 Original line number Diff line number Diff line Loading @@ -123,6 +123,9 @@ let # Allows this host to act as a DHCP4 client without first having to use APIPA iptables -t mangle -A nixos-fw-rpfilter -p udp --sport 67 --dport 68 -j RETURN # Allows decrypted packets from an IPsec VPN ip46tables -t mangle -A nixos-fw-rpfilter -m policy --dir in --pol ipsec -j RETURN # Allows this host to act as a DHCPv4 server iptables -t mangle -A nixos-fw-rpfilter -s 0.0.0.0 -d 255.255.255.255 -p udp --sport 68 --dport 67 -j RETURN Loading
nixos/modules/services/networking/firewall-nftables.nix +6 −0 Original line number Diff line number Diff line Loading @@ -82,6 +82,11 @@ in } ]; networking.nftables.preCheckRuleset = '' # can't validate IPsec rules sed '/meta ipsec/d' -i ruleset.conf ''; networking.nftables.tables."nixos-fw".family = "inet"; networking.nftables.tables."nixos-fw".content = '' ${optionalString (cfg.checkReversePath != false) '' Loading @@ -89,6 +94,7 @@ in type filter hook prerouting priority mangle + 10; policy drop; meta nfproto ipv4 udp sport . udp dport { 67 . 68, 68 . 67 } accept comment "DHCPv4 client/server" meta ipsec exists accept comment "decrypted packets from an IPsec VPN" fib saddr . mark ${optionalString (cfg.checkReversePath != "loose") ". iif"} oif exists accept jump rpfilter-allow Loading
