rnhmjoj
3c12ef3f21
nixos/firewall: fix reverse path check failures with IPsec
...
The endpoint of an IPsec tunnel receives encrypted IPsec packets that
are first decrypted and then forwarded to the intended destination.
The decrypted traffic appears to originate from the same interface it
came in from, so in most cases these packets will fail the reverse path
check even if legitimate.
This change adds an exception to not reject packets that were previously
IPsec-encrypted, meaning the have been accepted, decrypted and are in
the process of being forwarded to their final destinal.
Sources:
- https://www.kernel.org/doc/Documentation/networking/xfrm_device.txt
- https://git.netfilter.org/nftables/commit/?id=49f6e9a846c6c8325b95debe04d5ebc3c01246fb
- https://git.netfilter.org/nftables/commit/?id=8f55ed41d007061bd8aae94fee2bda172c0e8996
- https://thermalcircle.de/doku.php?id=blog:linux:nftables_demystifying_ipsec_expressions
2024-06-05 15:18:35 +02:00
Maximilian Bosch
2ee96a1738
nixos: fix manual build
...
`mdDoc` is deprecated!
2024-04-21 23:28:46 +02:00
Pol Dellaiera
95d8be4d3c
Merge pull request #301514 from r-vdp/nftables-rpfilter-extra-rules
...
nixos/firewall-nftables: allow adding additional rules to the rpfilter chain
2024-04-21 23:02:01 +02:00
stuebinm
6afb255d97
nixos: remove all uses of lib.mdDoc
...
these changes were generated with nixq 0.0.2, by running
nixq ">> lib.mdDoc[remove] Argument[keep]" --batchmode nixos/**.nix
nixq ">> mdDoc[remove] Argument[keep]" --batchmode nixos/**.nix
nixq ">> Inherit >> mdDoc[remove]" --batchmode nixos/**.nix
two mentions of the mdDoc function remain in nixos/, both of which
are inside of comments.
Since lib.mdDoc is already defined as just id, this commit is a no-op as
far as Nix (and the built manual) is concerned.
2024-04-13 10:07:35 -07:00
r-vdp
1eb26d4140
nixos/firewall-nftables: allow adding additional rules to the rpfilter chain
2024-04-04 13:07:52 +02:00
Maciej Krüger
311d2fa994
*: migrate to using nftables.tables instead of ruleset directly
2023-08-28 00:30:29 +02:00
K900
d0f7d224da
nixos/firewall-nftables: avoid using wildcards
...
Those were added in kernel 5.13, which is newer than our oldest supported.
2023-03-22 17:45:05 +03:00
Rvfg
a43c7b2a70
nixos/{firewall, nat}: add a nftables based implementation
2022-12-23 00:49:24 +08:00