Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nixos/firewall: fix inverted assertion for reverse path filtering #73533

Merged
merged 1 commit into from Mar 14, 2020
Merged

nixos/firewall: fix inverted assertion for reverse path filtering #73533

merged 1 commit into from Mar 14, 2020

Conversation

thefloweringash
Copy link
Member

Previously the assertion passed if the kernel had support OR the
filter was enabled. In the case of a kernel without support, the
checkReversePath option defaulted to false, and then failed the
assertion.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nix-review --run "nix-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@thefloweringash
nixos/firewall: fix inverted assertion for reverse path filtering
0f973e2 
Previously the assertion passed if the kernel had support OR the
filter was *enabled*. In the case of a kernel without support, the
`checkReversePath` option defaulted to false, and then failed the
assertion.
@alyssais alyssais merged commit 2c121f4 into NixOS:master Mar 14, 2020
@thefloweringash thefloweringash deleted the rpfilter-assertion branch March 14, 2020 04:32
@notgne2
Copy link
Contributor

notgne2 commented Mar 17, 2020

Looks like this change has made it fail if checkReversePath is set to a string, which as far as I know should be allowed, seeing https://github.com/NixOS/nixpkgs/blob/nixos-unstable/nixos/modules/services/networking/firewall.nix#L120 and https://github.com/NixOS/nixpkgs/blob/nixos-unstable/nixos/modules/services/networking/firewall.nix#L418

@thefloweringash thefloweringash mentioned this pull request Mar 17, 2020
Merged
10 tasks
@thefloweringash
Copy link
Member Author

Looks like this change has made it fail if checkReversePath is set to a string, which as far as I know should be allowed, seeing https://github.com/NixOS/nixpkgs/blob/nixos-unstable/nixos/modules/services/networking/firewall.nix#L120 and https://github.com/NixOS/nixpkgs/blob/nixos-unstable/nixos/modules/services/networking/firewall.nix#L418

Good point, sorry about breaking this. I've prepared a PR to fix this in #82767

thefloweringash added a commit to thefloweringash/nixpkgs that referenced this pull request Mar 18, 2020
@thefloweringash
nixos/firewall: fix types in reverse path assertion
e110f5e 
Broken by 0f973e2 in NixOS#73533

The type of the checkReversePath option allows "strict" and "loose" as
well as boolean values.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
6.topic: nixos 8.has: module (update) 10.rebuild-darwin: 0 10.rebuild-linux: 0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@thefloweringash @notgne2 @alyssais