nixos/firewall: Don't allow traffic during reload

1 files changed, 14 insertions, 4 deletions

diff --git a/nixos/modules/services/networking/firewall.nix b/nixos/modules/services/networking/firewall.nix
index 42914bfe5d6..b97ec8b4d43 100644
--- a/nixos/modules/services/networking/firewall.nix
+++ b/nixos/modules/services/networking/firewall.nix
@@ -264,7 +264,7 @@ in
                      message = "This kernel does not support disabling conntrack helpers"; }
                  ];
 
-    systemd.services.firewall =
+    systemd.services.firewall = rec
       { description = "Firewall";
 
         wantedBy = [ "network.target" ];
@@ -277,8 +277,12 @@ in
         # better have all necessary modules already loaded.
         unitConfig.ConditionCapability = "CAP_NET_ADMIN";
 
-        serviceConfig.Type = "oneshot";
-        serviceConfig.RemainAfterExit = true;
+        reloadIfChanged = true;
+
+        serviceConfig = {
+          Type = "oneshot";
+          RemainAfterExit = true;
+        };
 
         script =
           ''
@@ -417,11 +421,17 @@ in
             ip46tables -A INPUT -j nixos-fw
           '';
 
+        reload = ''
+          ${helpers}
+          ip46tables -A INPUT -j DROP
+          ${script}
+          ip46tables -D INPUT -j DROP || true # extraCommands might delete the above rule and cause this to fail
+        '';
+
         postStop =
           ''
             ${helpers}
             ip46tables -D INPUT -j nixos-fw || true
-            #ip46tables -P INPUT ACCEPT
           '';
       };