Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: NixOS/nixpkgs
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: 43a62af3a1cc
Choose a base ref
...
head repository: NixOS/nixpkgs
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: 36da345caa1e
Choose a head ref
  • 1 commit
  • 1 file changed
  • 1 contributor

Commits on Jan 27, 2020

  1. nixos/sshguard: use nftables backend if enabled 

    The current module assumes use of iptables and breaks if nftables is
used instead.

This change configures the correct backend based on the
config.networking.nftables.enable setting.
    @abrenk @Profpatsch
    abrenk authored and Profpatsch committed Jan 27, 2020
    Copy the full SHA
    36da345 View commit details
Showing with 9 additions and 4 deletions.
  1. +9 −4 nixos/modules/services/security/sshguard.nix
13 changes: 9 additions & 4 deletions nixos/modules/services/security/sshguard.nix
View file
Original file line number Diff line number Diff line change
@@ -92,8 +92,11 @@ in {
"-o cat"
"-n1"
] ++ (map (name: "-t ${escapeShellArg name}") cfg.services));
backend = if config.networking.nftables.enable
then "sshg-fw-nft-sets"
else "sshg-fw-ipset";
in ''
BACKEND="${pkgs.sshguard}/libexec/sshg-fw-ipset"
BACKEND="${pkgs.sshguard}/libexec/${backend}"
LOGREADER="LANG=C ${pkgs.systemd}/bin/journalctl ${args}"
'';

@@ -104,22 +107,24 @@ in {
after = [ "network.target" ];
partOf = optional config.networking.firewall.enable "firewall.service";

path = with pkgs; [ iptables ipset iproute systemd ];
path = with pkgs; if config.networking.nftables.enable
then [ nftables iproute systemd ]
else [ iptables ipset iproute systemd ];

# The sshguard ipsets must exist before we invoke
# iptables. sshguard creates the ipsets after startup if
# necessary, but if we let sshguard do it, we can't reliably add
# the iptables rules because postStart races with the creation
# of the ipsets. So instead, we create both the ipsets and
# firewall rules before sshguard starts.
preStart = ''
preStart = optionalString config.networking.firewall.enable ''
${pkgs.ipset}/bin/ipset -quiet create -exist sshguard4 hash:net family inet
${pkgs.ipset}/bin/ipset -quiet create -exist sshguard6 hash:net family inet6
${pkgs.iptables}/bin/iptables -I INPUT -m set --match-set sshguard4 src -j DROP
${pkgs.iptables}/bin/ip6tables -I INPUT -m set --match-set sshguard6 src -j DROP
'';

postStop = ''
postStop = optionalString config.networking.firewall.enable ''
${pkgs.iptables}/bin/iptables -D INPUT -m set --match-set sshguard4 src -j DROP
${pkgs.iptables}/bin/ip6tables -D INPUT -m set --match-set sshguard6 src -j DROP
${pkgs.ipset}/bin/ipset -quiet destroy sshguard4