From 6c62de6a31a17951d06981a2f6e21d8324c07786 Mon Sep 17 00:00:00 2001
From: Mathijs Kwik <mathijs@bluescreen303.nl>
Date: Fri, 12 Oct 2012 13:09:19 +0200
Subject: [PATCH] firewall: option to enable the rpfilter netfilter module

This is meant to replace /proc/sys/net/ipv4/conf/*/rp_filter, which
only works for ipv4. Furthermore, it's nicer to handle this kind of
filtering in the firewall.

There are some more subtle differences, please see:
https://home.regit.org/netfilter-en/secure-use-of-helpers/

I chose to enable this by default (when the firewall is enabled) as
it's a good idea in general. Only people with advanced routing needs
might not want this, but I guess they don't use the nixos firewall
anyway and use a custom solution. Furthermore, the option only becomes
available in kernel 3.3+, so conservative nixos users that just stick
to the default kernel will not need to act now just yet.
---
 modules/services/networking/firewall.nix | 30 ++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/modules/services/networking/firewall.nix b/modules/services/networking/firewall.nix
index e6ae725f85ff..7ea4e593cd12 100644
--- a/modules/services/networking/firewall.nix
+++ b/modules/services/networking/firewall.nix
@@ -39,6 +39,11 @@ let
       }
     '';
 
+  kernelPackages = config.boot.kernelPackages;
+  kernelHasRPFilter = kernelPackages.kernel ? features
+                   && kernelPackages.kernel.features ? netfilterRPFilter
+                   && kernelPackages.kernel.features.netfilterRPFilter;
+
 in
 
 {
@@ -140,6 +145,22 @@ in
         '';
     };
 
+    networking.firewall.checkReversePath = mkOption {
+      default = kernelHasRPFilter;
+      type = types.bool;
+      description =
+        ''
+          Performs a reverse path filter test on a packet.
+          If a reply to the packet would not be sent via the same interface
+          that the packet arrived on, it is refused.
+
+          If using asymmetric routing or other complicated routing,
+          disable this setting and setup your own counter-measures.
+
+          (needs kernel 3.3+)
+        '';
+    };
+
     networking.firewall.extraCommands = mkOption {
       default = "";
       example = "iptables -A INPUT -p icmp -j ACCEPT";
@@ -170,6 +191,9 @@ in
 
     boot.kernelModules = [ "nf_conntrack_ftp" ];
 
+    assertions = [ { assertion = ! cfg.checkReversePath || kernelHasRPFilter;
+                     message = "This kernel does not support rpfilter"; } ];
+
     jobs.firewall =
       { startOn = "started network-interfaces";
 
@@ -233,6 +257,12 @@ in
             # The "nixos-fw" chain does the actual work.
             ip46tables -N nixos-fw
 
+            # Perform a reverse-path test to refuse spoofers
+            # For now, we just drop, as the raw table doesn't have a log-refuse yet
+            ${optionalString (kernelHasRPFilter && cfg.checkReversePath) ''
+              ip46tables -A PREROUTING -t raw -m rpfilter --invert -j DROP
+            ''}
+
             # Accept all traffic on the trusted interfaces.
             ${flip concatMapStrings cfg.trustedInterfaces (iface: ''
               ip46tables -A nixos-fw -i ${iface} -j nixos-fw-accept