nixos/firewall: clean up rpfilter rules properly

fpletz · fpletz · commit a49c2366efad · 2017-05-29T17:26:34.000+02:00
The rpfilter rules wouldn't be removed if it was previously enabled
but disabled in a new generation.
diff --git a/nixos/modules/services/networking/firewall.nix b/nixos/modules/services/networking/firewall.nix
@@ -114,14 +114,15 @@ let
     # The "nixos-fw" chain does the actual work.
     ip46tables -N nixos-fw
 
-    # Perform a reverse-path test to refuse spoofers
-    # For now, we just drop, as the raw table doesn't have a log-refuse yet
+    # Clean up rpfilter rules
+    ip46tables -t raw -D PREROUTING -j nixos-fw-rpfilter 2> /dev/null || true
+    ip46tables -t raw -F nixos-fw-rpfilter 2> /dev/null || true
+    ip46tables -t raw -X nixos-fw-rpfilter 2> /dev/null || true
+
     ${optionalString (kernelHasRPFilter && (cfg.checkReversePath != false)) ''
-      # Clean up rpfilter rules
-      ip46tables -t raw -D PREROUTING -j nixos-fw-rpfilter 2> /dev/null || true
-      ip46tables -t raw -F nixos-fw-rpfilter 2> /dev/null || true
+      # Perform a reverse-path test to refuse spoofers
+      # For now, we just drop, as the raw table doesn't have a log-refuse yet
       ip46tables -t raw -N nixos-fw-rpfilter 2> /dev/null || true
-
       ip46tables -t raw -A nixos-fw-rpfilter -m rpfilter ${optionalString (cfg.checkReversePath == "loose") "--loose"} -j RETURN
 
       # Allows this host to act as a DHCPv4 server
