Merge pull request #4983 from bosu/fw-stop-fix

firewall: clear rpfilter on stop
2024-09-22 13:29:00 +02:00 · 2014-11-14 00:14:27 -08:00 · 2014-11-14 00:14:27 -08:00 · d0e15cc575
parent 557a3c92e3 53b24d0c95
commit d0e15cc575
1 changed files with 6 additions and 0 deletions
--- a/nixos/modules/services/networking/firewall.nix
+++ b/nixos/modules/services/networking/firewall.nix
@ -187,6 +187,12 @@ let
    # Clean up after added ruleset
    ip46tables -D INPUT -j nixos-fw 2>/dev/null || true

+    ${optionalString (kernelHasRPFilter && cfg.checkReversePath) ''
+      if ! ip46tables -D PREROUTING -t raw -m rpfilter --invert -j DROP; then
+        echo "<2>failed to stop rpfilter support" >&2
+      fi
+    ''}
+
    ${cfg.extraStopCommands}
  '';