From 94bb48be78694312cc0002141e4edb39d965b098 Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <eelco.dolstra@logicblox.com>
Date: Tue, 10 Sep 2013 14:58:12 +0200
Subject: [PATCH] firewall.nix: Don't make missing rpfilter support a fatal
 error

This makes upgrading from Linux 3.2 to 3.4 a bit nicer.
---
 modules/services/networking/firewall.nix | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/modules/services/networking/firewall.nix b/modules/services/networking/firewall.nix
index 25a832da7a4..6261bab94a1 100644
--- a/modules/services/networking/firewall.nix
+++ b/modules/services/networking/firewall.nix
@@ -298,7 +298,9 @@ in
             # Perform a reverse-path test to refuse spoofers
             # For now, we just drop, as the raw table doesn't have a log-refuse yet
             ${optionalString (kernelHasRPFilter && cfg.checkReversePath) ''
-              ip46tables -A PREROUTING -t raw -m rpfilter --invert -j DROP
+              if ! ip46tables -A PREROUTING -t raw -m rpfilter --invert -j DROP; then
+                echo "<2>failed to initialise rpfilter support" >&2
+              fi
             ''}
 
             # Accept all traffic on the trusted interfaces.