From 1f1164cc98252a9e990658f6ab068d1519a6b618 Mon Sep 17 00:00:00 2001
From: Daniel Barlow <dan@telent.net>
Date: Wed, 28 Jun 2023 23:51:21 +0100
Subject: [PATCH] allow dhcp client on wan

---
 examples/rotuer-firewall.nix | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/examples/rotuer-firewall.nix b/examples/rotuer-firewall.nix
index c8fddcff..249d392d 100644
--- a/examples/rotuer-firewall.nix
+++ b/examples/rotuer-firewall.nix
@@ -106,6 +106,16 @@ in {
       (accept "tcp dport 22")
     ];
   };
+
+  input-wan = {
+    type = "filter";
+    family = "ip6";
+
+    rules = [
+      (accept "udp dport 546") # dhcp client, needed for prefix delegation
+    ];
+  };
+
   input-ip6 = {
     type = "filter";
     family = "ip6";
@@ -114,6 +124,7 @@ in {
     rules = [
       (accept "meta l4proto icmpv6")
       "iifname int jump input-lan"
+      "iifname ppp0 jump input-wan"
       (if allow-incoming
        then accept "oifname \"int\" iifname \"ppp0\""
        else "oifname \"int\" iifname \"ppp0\" jump incoming-allowed-ip6"