nixos/sshguard: do not do IPv6 setup/teardown unconditionally
This commit is contained in:
parent
9a39c1be2c
commit
aa995fb0b7
@ -119,15 +119,17 @@ in {
|
||||
# firewall rules before sshguard starts.
|
||||
preStart = optionalString config.networking.firewall.enable ''
|
||||
${pkgs.ipset}/bin/ipset -quiet create -exist sshguard4 hash:net family inet
|
||||
${pkgs.ipset}/bin/ipset -quiet create -exist sshguard6 hash:net family inet6
|
||||
${pkgs.iptables}/bin/iptables -I INPUT -m set --match-set sshguard4 src -j DROP
|
||||
'' + optionalString (config.networking.firewall.enable && config.networking.enableIPv6) ''
|
||||
${pkgs.ipset}/bin/ipset -quiet create -exist sshguard6 hash:net family inet6
|
||||
${pkgs.iptables}/bin/ip6tables -I INPUT -m set --match-set sshguard6 src -j DROP
|
||||
'';
|
||||
|
||||
postStop = optionalString config.networking.firewall.enable ''
|
||||
${pkgs.iptables}/bin/iptables -D INPUT -m set --match-set sshguard4 src -j DROP
|
||||
${pkgs.iptables}/bin/ip6tables -D INPUT -m set --match-set sshguard6 src -j DROP
|
||||
${pkgs.ipset}/bin/ipset -quiet destroy sshguard4
|
||||
'' + optionalString (config.networking.firewall.enable && config.networking.enableIPv6) ''
|
||||
${pkgs.iptables}/bin/ip6tables -D INPUT -m set --match-set sshguard6 src -j DROP
|
||||
${pkgs.ipset}/bin/ipset -quiet destroy sshguard6
|
||||
'';
|
||||
|
||||
|
Loading…
x
Reference in New Issue
Block a user