From 7135b53f7d14009e1ecc5e4ca4f57ac477d9269d Mon Sep 17 00:00:00 2001
From: materus <materus@podkos.pl>
Date: Sun, 15 Sep 2024 21:41:55 +0200
Subject: [PATCH] materusPC: change rpfilter for wireguard

---
 configurations/host/materusPC/network.nix | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/configurations/host/materusPC/network.nix b/configurations/host/materusPC/network.nix
index 52714d7..34656d5 100644
--- a/configurations/host/materusPC/network.nix
+++ b/configurations/host/materusPC/network.nix
@@ -4,6 +4,19 @@
     WIREGUARD_PRIVATEKEY="${config.sops.placeholder.wireguard}"
   '';
 
+  networking.firewall = {
+   logReversePathDrops = false;
+   # wireguard trips rpfilter up
+   extraCommands = ''
+     ip46tables -t mangle -I nixos-fw-rpfilter -p udp -m udp --sport ${materusArg.wireguard.port} -j RETURN
+     ip46tables -t mangle -I nixos-fw-rpfilter -p udp -m udp --dport ${materusArg.wireguard.port} -j RETURN
+   '';
+   extraStopCommands = ''
+     ip46tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --sport ${materusArg.wireguard.port} -j RETURN || true
+     ip46tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --dport ${materusArg.wireguard.port} -j RETURN || true
+   '';
+  };
+
   networking.useDHCP = lib.mkDefault true;
   networking.hostName = "materusPC";
   networking.wireless.iwd.enable = true;
@@ -23,6 +36,7 @@
       uri = "http://nmcheck.gnome.org/check_network_status.txt";
     };
   };
+  
 
   networking.networkmanager.ensureProfiles.environmentFiles = [
     config.sops.templates."networkmanager.env".path