From 53b24d0c957a1ed1ea2896bfeaaa63e5b6c81344 Mon Sep 17 00:00:00 2001 From: Boris Sukholitko Date: Fri, 14 Nov 2014 09:07:18 +0200 Subject: [PATCH] firewall: clear rpfilter on stop --- nixos/modules/services/networking/firewall.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/nixos/modules/services/networking/firewall.nix b/nixos/modules/services/networking/firewall.nix index 68aac3d30de1..51e1679ce4de 100644 --- a/nixos/modules/services/networking/firewall.nix +++ b/nixos/modules/services/networking/firewall.nix @@ -187,6 +187,12 @@ let # Clean up after added ruleset ip46tables -D INPUT -j nixos-fw 2>/dev/null || true + ${optionalString (kernelHasRPFilter && cfg.checkReversePath) '' + if ! ip46tables -D PREROUTING -t raw -m rpfilter --invert -j DROP; then + echo "<2>failed to stop rpfilter support" >&2 + fi + ''} + ${cfg.extraStopCommands} '';