public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

firewall.nix: Don't make missing rpfilter support a fatal error

Browse Source 
This makes upgrading from Linux 3.2 to 3.4 a bit nicer.
This commit is contained in:
Eelco Dolstra 2013-09-10 14:58:12 +02:00
parent 71365b7478
commit 94bb48be78
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
modules/services/networking/firewall.nix
View File

@ -298,7 +298,9 @@ in
# Perform a reverse-path test to refuse spoofers # Perform a reverse-path test to refuse spoofers
# For now, we just drop, as the raw table doesn't have a log-refuse yet # For now, we just drop, as the raw table doesn't have a log-refuse yet
${optionalString (kernelHasRPFilter && cfg.checkReversePath) '' ${optionalString (kernelHasRPFilter && cfg.checkReversePath) ''
ip46tables -A PREROUTING -t raw -m rpfilter --invert -j DROP if ! ip46tables -A PREROUTING -t raw -m rpfilter --invert -j DROP; then
echo "<2>failed to initialise rpfilter support" >&2
fi
''} ''}
# Accept all traffic on the trusted interfaces. # Accept all traffic on the trusted interfaces.