Loading nixos/modules/services/networking/firewall-nftables.nix +18 −0 Original line number Diff line number Diff line Loading @@ -45,6 +45,18 @@ in This option only works with the nftables based firewall. ''; }; extraReversePathFilterRules = mkOption { type = types.lines; default = ""; example = "fib daddr . mark . iif type local accept"; description = lib.mdDoc '' Additional nftables rules to be appended to the rpfilter-allow chain. This option only works with the nftables based firewall. ''; }; }; }; Loading Loading @@ -79,6 +91,8 @@ in meta nfproto ipv4 udp sport . udp dport { 67 . 68, 68 . 67 } accept comment "DHCPv4 client/server" fib saddr . mark ${optionalString (cfg.checkReversePath != "loose") ". iif"} oif exists accept jump rpfilter-allow ${optionalString cfg.logReversePathDrops '' log level info prefix "rpfilter drop: " ''} Loading @@ -86,6 +100,10 @@ in } ''} chain rpfilter-allow { ${cfg.extraReversePathFilterRules} } chain input { type filter hook input priority filter; policy drop; Loading Loading
nixos/modules/services/networking/firewall-nftables.nix +18 −0 Original line number Diff line number Diff line Loading @@ -45,6 +45,18 @@ in This option only works with the nftables based firewall. ''; }; extraReversePathFilterRules = mkOption { type = types.lines; default = ""; example = "fib daddr . mark . iif type local accept"; description = lib.mdDoc '' Additional nftables rules to be appended to the rpfilter-allow chain. This option only works with the nftables based firewall. ''; }; }; }; Loading Loading @@ -79,6 +91,8 @@ in meta nfproto ipv4 udp sport . udp dport { 67 . 68, 68 . 67 } accept comment "DHCPv4 client/server" fib saddr . mark ${optionalString (cfg.checkReversePath != "loose") ". iif"} oif exists accept jump rpfilter-allow ${optionalString cfg.logReversePathDrops '' log level info prefix "rpfilter drop: " ''} Loading @@ -86,6 +100,10 @@ in } ''} chain rpfilter-allow { ${cfg.extraReversePathFilterRules} } chain input { type filter hook input priority filter; policy drop; Loading
