diff options
| author | David Anderson <dave@natulte.net> | 2019-08-04 16:20:08 -0700 |
|---|---|---|
| committer | David Anderson <dave@natulte.net> | 2019-08-04 16:23:22 -0700 |
| commit | 089da1c14dfdd76c2f3d66c383d97cb3aee34142 (patch) | |
| tree | ddcf5cfbb5c89ba1e8ef6c428b1800f90f971ffa | |
| parent | e66f7529adf659b32e74cb1cda5c0d6ea0eb7511 (diff) | |
| download | nixpkgs-089da1c14dfdd76c2f3d66c383d97cb3aee34142.tar nixpkgs-089da1c14dfdd76c2f3d66c383d97cb3aee34142.tar.gz nixpkgs-089da1c14dfdd76c2f3d66c383d97cb3aee34142.tar.bz2 nixpkgs-089da1c14dfdd76c2f3d66c383d97cb3aee34142.tar.lz nixpkgs-089da1c14dfdd76c2f3d66c383d97cb3aee34142.tar.xz nixpkgs-089da1c14dfdd76c2f3d66c383d97cb3aee34142.tar.zst nixpkgs-089da1c14dfdd76c2f3d66c383d97cb3aee34142.zip | |
nixos/sshguard: create ipsets before starting, and clean up after stopping.
The fix for #62874 introduced a race condition on startup: the postStart commands that configure the firewall run concurrently with sshguard's creation of the ipsets that the rules depend on. Unfortunately iptables fails hard when referencing an ipset that doesn't exist, so this causes non-deterministic crashlooping until sshguard wins the race. This change fixes that race condition by always creating the ipset and reconfiguring the firewall before starting sshguard, so that the order of operations is always deterministic. This change also cleans up the ipsets on sshguard shutdown, so that removing sshguard from a running system doesn't leave state behind. Fixes #65985.
| -rw-r--r-- | nixos/modules/services/security/sshguard.nix | 14 |
1 files changed, 12 insertions, 2 deletions
diff --git a/nixos/modules/services/security/sshguard.nix b/nixos/modules/services/security/sshguard.nix index 25cec5b5b10..4a174564dd2 100644 --- a/nixos/modules/services/security/sshguard.nix +++ b/nixos/modules/services/security/sshguard.nix @@ -106,14 +106,24 @@ in { path = with pkgs; [ iptables ipset iproute systemd ]; - postStart = '' + # The sshguard ipsets must exist before we invoke + # iptables. sshguard creates the ipsets after startup if + # necessary, but if we let sshguard do it, we can't reliably add + # the iptables rules because postStart races with the creation + # of the ipsets. So instead, we create both the ipsets and + # firewall rules before sshguard starts. + preStart = '' + ${pkgs.ipset}/bin/ipset -quiet create -exist sshguard4 hash:net family inet + ${pkgs.ipset}/bin/ipset -quiet create -exist sshguard6 hash:net family inet6 ${pkgs.iptables}/bin/iptables -I INPUT -m set --match-set sshguard4 src -j DROP ${pkgs.iptables}/bin/ip6tables -I INPUT -m set --match-set sshguard6 src -j DROP ''; - preStop = '' + postStop = '' ${pkgs.iptables}/bin/iptables -D INPUT -m set --match-set sshguard4 src -j DROP ${pkgs.iptables}/bin/ip6tables -D INPUT -m set --match-set sshguard6 src -j DROP + ${pkgs.ipset}/bin/ipset -quiet destroy sshguard4 + ${pkgs.ipset}/bin/ipset -quiet destroy sshguard6 ''; unitConfig.Documentation = "man:sshguard(8)"; |