From 87c9b0134f67265e003c71a23ae3c0243de94927 Mon Sep 17 00:00:00 2001
From: Mathijs Kwik <mathijs@bluescreen303.nl>
Date: Sun, 19 Nov 2017 22:11:32 +0100
Subject: [PATCH] firewall: fix rpfilter blocking dhcp offers when no ip was
 bound yet

(cherry picked from commit 05761e9504a97d6ffa404508f83b91cc689a3f23)
---
 nixos/modules/services/networking/firewall.nix | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/nixos/modules/services/networking/firewall.nix b/nixos/modules/services/networking/firewall.nix
index 68a814b23053be..9cfda49864a68a 100644
--- a/nixos/modules/services/networking/firewall.nix
+++ b/nixos/modules/services/networking/firewall.nix
@@ -125,6 +125,9 @@ let
       ip46tables -t raw -N nixos-fw-rpfilter 2> /dev/null || true
       ip46tables -t raw -A nixos-fw-rpfilter -m rpfilter ${optionalString (cfg.checkReversePath == "loose") "--loose"} -j RETURN
 
+      # Allows this host to act as a DHCP4 client without first having to use APIPA
+      iptables -t raw -A nixos-fw-rpfilter -p udp --sport 67 --dport 68 -j RETURN
+
       # Allows this host to act as a DHCPv4 server
       iptables -t raw -A nixos-fw-rpfilter -s 0.0.0.0 -d 255.255.255.255 -p udp --sport 68 --dport 67 -j RETURN