From 2c121f421551355d3ea61e4b83ea269df83f2027 Mon Sep 17 00:00:00 2001
From: Andrew Childs <lorne@cons.org.nz>
Date: Sun, 17 Nov 2019 13:48:53 +0900
Subject: [PATCH] nixos/firewall: fix inverted assertion for reverse path
 filtering

Previously the assertion passed if the kernel had support OR the
filter was *enabled*. In the case of a kernel without support, the
`checkReversePath` option defaulted to false, and then failed the
assertion.
---
 nixos/modules/services/networking/firewall.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/nixos/modules/services/networking/firewall.nix b/nixos/modules/services/networking/firewall.nix
index 15aaf7410674..b0045ff795e3 100644
--- a/nixos/modules/services/networking/firewall.nix
+++ b/nixos/modules/services/networking/firewall.nix
@@ -546,7 +546,7 @@ in
       options nf_conntrack nf_conntrack_helper=1
     '';
 
-    assertions = [ { assertion = (cfg.checkReversePath != false) || kernelHasRPFilter;
+    assertions = [ { assertion = cfg.checkReversePath -> kernelHasRPFilter;
                      message = "This kernel does not support rpfilter"; }
                  ];