firewall: option to enable the rpfilter netfilter module

This is meant to replace /proc/sys/net/ipv4/conf/*/rp_filter, which
only works for ipv4. Furthermore, it's nicer to handle this kind of
filtering in the firewall.

There are some more subtle differences, please see:
https://home.regit.org/netfilter-en/secure-use-of-helpers/

I chose to enable this by default (when the firewall is enabled) as
it's a good idea in general. Only people with advanced routing needs
might not want this, but I guess they don't use the nixos firewall
anyway and use a custom solution. Furthermore, the option only becomes
available in kernel 3.3+, so conservative nixos users that just stick
to the default kernel will not need to act now just yet.
This commit is contained in:
Mathijs Kwik 2012-10-12 13:09:19 +02:00
parent e40146de16
commit 6c62de6a31
1 changed files with 30 additions and 0 deletions

View File

@ -39,6 +39,11 @@ let
}
'';
kernelPackages = config.boot.kernelPackages;
kernelHasRPFilter = kernelPackages.kernel ? features
&& kernelPackages.kernel.features ? netfilterRPFilter
&& kernelPackages.kernel.features.netfilterRPFilter;
in
{
@ -140,6 +145,22 @@ in
'';
};
networking.firewall.checkReversePath = mkOption {
default = kernelHasRPFilter;
type = types.bool;
description =
''
Performs a reverse path filter test on a packet.
If a reply to the packet would not be sent via the same interface
that the packet arrived on, it is refused.
If using asymmetric routing or other complicated routing,
disable this setting and setup your own counter-measures.
(needs kernel 3.3+)
'';
};
networking.firewall.extraCommands = mkOption {
default = "";
example = "iptables -A INPUT -p icmp -j ACCEPT";
@ -170,6 +191,9 @@ in
boot.kernelModules = [ "nf_conntrack_ftp" ];
assertions = [ { assertion = ! cfg.checkReversePath || kernelHasRPFilter;
message = "This kernel does not support rpfilter"; } ];
jobs.firewall =
{ startOn = "started network-interfaces";
@ -233,6 +257,12 @@ in
# The "nixos-fw" chain does the actual work.
ip46tables -N nixos-fw
# Perform a reverse-path test to refuse spoofers
# For now, we just drop, as the raw table doesn't have a log-refuse yet
${optionalString (kernelHasRPFilter && cfg.checkReversePath) ''
ip46tables -A PREROUTING -t raw -m rpfilter --invert -j DROP
''}
# Accept all traffic on the trusted interfaces.
${flip concatMapStrings cfg.trustedInterfaces (iface: ''
ip46tables -A nixos-fw -i ${iface} -j nixos-fw-accept