1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
|
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.networking.firewall;
ifaceSet = concatStringsSep ", " (
map (x: ''"${x}"'') cfg.trustedInterfaces
);
portsToNftSet = ports: portRanges: concatStringsSep ", " (
map (x: toString x) ports
++ map (x: "${toString x.from}-${toString x.to}") portRanges
);
in
{
options = {
networking.firewall = {
extraInputRules = mkOption {
type = types.lines;
default = "";
example = "ip6 saddr { fc00::/7, fe80::/10 } tcp dport 24800 accept";
description = lib.mdDoc ''
Additional nftables rules to be appended to the input-allow
chain.
This option only works with the nftables based firewall.
'';
};
extraForwardRules = mkOption {
type = types.lines;
default = "";
example = "iifname wg0 accept";
description = lib.mdDoc ''
Additional nftables rules to be appended to the forward-allow
chain.
This option only works with the nftables based firewall.
'';
};
};
};
config = mkIf (cfg.enable && config.networking.nftables.enable) {
assertions = [
{
assertion = cfg.extraCommands == "";
message = "extraCommands is incompatible with the nftables based firewall: ${cfg.extraCommands}";
}
{
assertion = cfg.extraStopCommands == "";
message = "extraStopCommands is incompatible with the nftables based firewall: ${cfg.extraStopCommands}";
}
{
assertion = cfg.pingLimit == null || !(hasPrefix "--" cfg.pingLimit);
message = "nftables syntax like \"2/second\" should be used in networking.firewall.pingLimit";
}
{
assertion = config.networking.nftables.rulesetFile == null;
message = "networking.nftables.rulesetFile conflicts with the firewall";
}
];
networking.nftables.tables."nixos-fw".family = "inet";
networking.nftables.tables."nixos-fw".content = ''
${optionalString (cfg.checkReversePath != false) ''
chain rpfilter {
type filter hook prerouting priority mangle + 10; policy drop;
meta nfproto ipv4 udp sport . udp dport { 67 . 68, 68 . 67 } accept comment "DHCPv4 client/server"
fib saddr . mark ${optionalString (cfg.checkReversePath != "loose") ". iif"} oif exists accept
${optionalString cfg.logReversePathDrops ''
log level info prefix "rpfilter drop: "
''}
}
''}
chain input {
type filter hook input priority filter; policy drop;
${optionalString (ifaceSet != "") ''iifname { ${ifaceSet} } accept comment "trusted interfaces"''}
# Some ICMPv6 types like NDP is untracked
ct state vmap {
invalid : drop,
established : accept,
related : accept,
new : jump input-allow,
untracked: jump input-allow,
}
${optionalString cfg.logRefusedConnections ''
tcp flags syn / fin,syn,rst,ack log level info prefix "refused connection: "
''}
${optionalString (cfg.logRefusedPackets && !cfg.logRefusedUnicastsOnly) ''
pkttype broadcast log level info prefix "refused broadcast: "
pkttype multicast log level info prefix "refused multicast: "
''}
${optionalString cfg.logRefusedPackets ''
pkttype host log level info prefix "refused packet: "
''}
${optionalString cfg.rejectPackets ''
meta l4proto tcp reject with tcp reset
reject
''}
}
chain input-allow {
${concatStrings (mapAttrsToList (iface: cfg:
let
ifaceExpr = optionalString (iface != "default") "iifname ${iface}";
tcpSet = portsToNftSet cfg.allowedTCPPorts cfg.allowedTCPPortRanges;
udpSet = portsToNftSet cfg.allowedUDPPorts cfg.allowedUDPPortRanges;
in
''
${optionalString (tcpSet != "") "${ifaceExpr} tcp dport { ${tcpSet} } accept"}
${optionalString (udpSet != "") "${ifaceExpr} udp dport { ${udpSet} } accept"}
''
) cfg.allInterfaces)}
${optionalString cfg.allowPing ''
icmp type echo-request ${optionalString (cfg.pingLimit != null) "limit rate ${cfg.pingLimit}"} accept comment "allow ping"
''}
icmpv6 type != { nd-redirect, 139 } accept comment "Accept all ICMPv6 messages except redirects and node information queries (type 139). See RFC 4890, section 4.4."
ip6 daddr fe80::/64 udp dport 546 accept comment "DHCPv6 client"
${cfg.extraInputRules}
}
${optionalString cfg.filterForward ''
chain forward {
type filter hook forward priority filter; policy drop;
ct state vmap {
invalid : drop,
established : accept,
related : accept,
new : jump forward-allow,
untracked : jump forward-allow,
}
}
chain forward-allow {
icmpv6 type != { router-renumbering, 139 } accept comment "Accept all ICMPv6 messages except renumbering and node information queries (type 139). See RFC 4890, section 4.3."
ct status dnat accept comment "allow port forward"
${cfg.extraForwardRules}
}
''}
'';
};
}
|