Merge pull request #310857 from rnhmjoj/pr-firewall

nixos/firewall: fix reverse path check failures with IPsec

nixos/modules/services/networking/firewall-iptables.nix

@@ -123,6 +123,9 @@ let
       # Allows this host to act as a DHCP4 client without first having to use APIPA
       iptables -t mangle -A nixos-fw-rpfilter -p udp --sport 67 --dport 68 -j RETURN
 
+      # Allows decrypted packets from an IPsec VPN
+      ip46tables -t mangle -A nixos-fw-rpfilter -m policy --dir in --pol ipsec -j RETURN
+
       # Allows this host to act as a DHCPv4 server
       iptables -t mangle -A nixos-fw-rpfilter -s 0.0.0.0 -d 255.255.255.255 -p udp --sport 68 --dport 67 -j RETURN
 

nixos/modules/services/networking/firewall-nftables.nix

@@ -82,6 +82,11 @@ in
       }
     ];
 
+    networking.nftables.preCheckRuleset = ''
+      # can't validate IPsec rules
+      sed '/meta ipsec/d' -i ruleset.conf
+    '';
+
     networking.nftables.tables."nixos-fw".family = "inet";
     networking.nftables.tables."nixos-fw".content = ''
         ${optionalString (cfg.checkReversePath != false) ''
@@ -89,6 +94,7 @@ in
             type filter hook prerouting priority mangle + 10; policy drop;
 
             meta nfproto ipv4 udp sport . udp dport { 67 . 68, 68 . 67 } accept comment "DHCPv4 client/server"
+            meta ipsec exists accept comment "decrypted packets from an IPsec VPN"
             fib saddr . mark ${optionalString (cfg.checkReversePath != "loose") ". iif"} oif exists accept
 
             jump rpfilter-allow