From 3c12ef3f219c1a0f458d72e7b460782287974bbd Mon Sep 17 00:00:00 2001
From: rnhmjoj <rnhmjoj@inventati.org>
Date: Thu, 9 May 2024 20:53:46 +0200
Subject: [PATCH 1/2] nixos/firewall: fix reverse path check failures with
 IPsec

The endpoint of an IPsec tunnel receives encrypted IPsec packets that
are first decrypted and then forwarded to the intended destination.
The decrypted traffic appears to originate from the same interface it
came in from, so in most cases these packets will fail the reverse path
check even if legitimate.

This change adds an exception to not reject packets that were previously
IPsec-encrypted, meaning the have been accepted, decrypted and are in
the process of being forwarded to their final destinal.

Sources:

  - https://www.kernel.org/doc/Documentation/networking/xfrm_device.txt
  - https://git.netfilter.org/nftables/commit/?id=49f6e9a846c6c8325b95debe04d5ebc3c01246fb
  - https://git.netfilter.org/nftables/commit/?id=8f55ed41d007061bd8aae94fee2bda172c0e8996
  - https://thermalcircle.de/doku.php?id=blog:linux:nftables_demystifying_ipsec_expressions
---
 nixos/modules/services/networking/firewall-iptables.nix | 3 +++
 nixos/modules/services/networking/firewall-nftables.nix | 6 ++++++
 2 files changed, 9 insertions(+)

diff --git a/nixos/modules/services/networking/firewall-iptables.nix b/nixos/modules/services/networking/firewall-iptables.nix
index 91756f826fe8..68895189bcae 100644
--- a/nixos/modules/services/networking/firewall-iptables.nix
+++ b/nixos/modules/services/networking/firewall-iptables.nix
@@ -123,6 +123,9 @@ let
       # Allows this host to act as a DHCP4 client without first having to use APIPA
       iptables -t mangle -A nixos-fw-rpfilter -p udp --sport 67 --dport 68 -j RETURN
 
+      # Allows decrypted packets from an IPsec VPN
+      ip46tables -t mangle -A nixos-fw-rpfilter -m policy --dir in --pol ipsec -j RETURN
+
       # Allows this host to act as a DHCPv4 server
       iptables -t mangle -A nixos-fw-rpfilter -s 0.0.0.0 -d 255.255.255.255 -p udp --sport 68 --dport 67 -j RETURN
 
diff --git a/nixos/modules/services/networking/firewall-nftables.nix b/nixos/modules/services/networking/firewall-nftables.nix
index a5ee7efc3c32..661d5c9fb1a6 100644
--- a/nixos/modules/services/networking/firewall-nftables.nix
+++ b/nixos/modules/services/networking/firewall-nftables.nix
@@ -82,6 +82,11 @@ in
       }
     ];
 
+    networking.nftables.preCheckRuleset = ''
+      # can't validate IPsec rules
+      sed '/meta ipsec/d' -i ruleset.conf
+    '';
+
     networking.nftables.tables."nixos-fw".family = "inet";
     networking.nftables.tables."nixos-fw".content = ''
         ${optionalString (cfg.checkReversePath != false) ''
@@ -89,6 +94,7 @@ in
             type filter hook prerouting priority mangle + 10; policy drop;
 
             meta nfproto ipv4 udp sport . udp dport { 67 . 68, 68 . 67 } accept comment "DHCPv4 client/server"
+            meta ipsec exists accept comment "decrypted packets from an IPsec VPN"
             fib saddr . mark ${optionalString (cfg.checkReversePath != "loose") ". iif"} oif exists accept
 
             jump rpfilter-allow

From fa5ae18c143c299ad080be109d39cb2a29f906bb Mon Sep 17 00:00:00 2001
From: rnhmjoj <rnhmjoj@inventati.org>
Date: Sat, 11 May 2024 15:56:19 +0200
Subject: [PATCH 2/2] nixos/tests/firewall: fix deprecation warning

---
 nixos/tests/firewall.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/nixos/tests/firewall.nix b/nixos/tests/firewall.nix
index dd7551f143a5..12c6468eb7a5 100644
--- a/nixos/tests/firewall.nix
+++ b/nixos/tests/firewall.nix
@@ -36,7 +36,7 @@ import ./make-test-python.nix ( { pkgs, nftables, ... } : {
     };
 
   testScript = { nodes, ... }: let
-    newSystem = nodes.walled2.config.system.build.toplevel;
+    newSystem = nodes.walled2.system.build.toplevel;
     unit = if nftables then "nftables" else "firewall";
   in ''
     start_all()