nixos/sshguard: do not do IPv6 setup/teardown unconditionally

This commit is contained in:
Peter Hoeg 2020-11-26 15:16:51 +08:00
parent 9a39c1be2c
commit aa995fb0b7

View File

@ -119,15 +119,17 @@ in {
# firewall rules before sshguard starts.
preStart = optionalString config.networking.firewall.enable ''
${pkgs.ipset}/bin/ipset -quiet create -exist sshguard4 hash:net family inet
${pkgs.ipset}/bin/ipset -quiet create -exist sshguard6 hash:net family inet6
${pkgs.iptables}/bin/iptables -I INPUT -m set --match-set sshguard4 src -j DROP
'' + optionalString (config.networking.firewall.enable && config.networking.enableIPv6) ''
${pkgs.ipset}/bin/ipset -quiet create -exist sshguard6 hash:net family inet6
${pkgs.iptables}/bin/ip6tables -I INPUT -m set --match-set sshguard6 src -j DROP
'';
postStop = optionalString config.networking.firewall.enable ''
${pkgs.iptables}/bin/iptables -D INPUT -m set --match-set sshguard4 src -j DROP
${pkgs.iptables}/bin/ip6tables -D INPUT -m set --match-set sshguard6 src -j DROP
${pkgs.ipset}/bin/ipset -quiet destroy sshguard4
'' + optionalString (config.networking.firewall.enable && config.networking.enableIPv6) ''
${pkgs.iptables}/bin/ip6tables -D INPUT -m set --match-set sshguard6 src -j DROP
${pkgs.ipset}/bin/ipset -quiet destroy sshguard6
'';