diff options
author | Marek Mahut <marek.mahut@gmail.com> | 2019-08-19 21:05:42 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2019-08-19 21:05:42 +0200 |
commit | d7b3d2d0fdd47b2e292bb715c0d290f21f5556a6 (patch) | |
tree | f221a8540ffd81db9b23f95af1a3f3b63f27bd94 /nixos/modules/services | |
parent | 7c15694c29aec6e0a38a5755480def7f2e515b19 (diff) | |
parent | 089da1c14dfdd76c2f3d66c383d97cb3aee34142 (diff) | |
download | nixpkgs-d7b3d2d0fdd47b2e292bb715c0d290f21f5556a6.tar nixpkgs-d7b3d2d0fdd47b2e292bb715c0d290f21f5556a6.tar.gz nixpkgs-d7b3d2d0fdd47b2e292bb715c0d290f21f5556a6.tar.bz2 nixpkgs-d7b3d2d0fdd47b2e292bb715c0d290f21f5556a6.tar.lz nixpkgs-d7b3d2d0fdd47b2e292bb715c0d290f21f5556a6.tar.xz nixpkgs-d7b3d2d0fdd47b2e292bb715c0d290f21f5556a6.tar.zst nixpkgs-d7b3d2d0fdd47b2e292bb715c0d290f21f5556a6.zip |
Merge pull request #65995 from danderson/master
nixos/sshguard: create ipsets before starting, and clean up after stopping.
Diffstat (limited to 'nixos/modules/services')
-rw-r--r-- | nixos/modules/services/security/sshguard.nix | 14 |
1 files changed, 12 insertions, 2 deletions
diff --git a/nixos/modules/services/security/sshguard.nix b/nixos/modules/services/security/sshguard.nix index 25cec5b5b10..4a174564dd2 100644 --- a/nixos/modules/services/security/sshguard.nix +++ b/nixos/modules/services/security/sshguard.nix @@ -106,14 +106,24 @@ in { path = with pkgs; [ iptables ipset iproute systemd ]; - postStart = '' + # The sshguard ipsets must exist before we invoke + # iptables. sshguard creates the ipsets after startup if + # necessary, but if we let sshguard do it, we can't reliably add + # the iptables rules because postStart races with the creation + # of the ipsets. So instead, we create both the ipsets and + # firewall rules before sshguard starts. + preStart = '' + ${pkgs.ipset}/bin/ipset -quiet create -exist sshguard4 hash:net family inet + ${pkgs.ipset}/bin/ipset -quiet create -exist sshguard6 hash:net family inet6 ${pkgs.iptables}/bin/iptables -I INPUT -m set --match-set sshguard4 src -j DROP ${pkgs.iptables}/bin/ip6tables -I INPUT -m set --match-set sshguard6 src -j DROP ''; - preStop = '' + postStop = '' ${pkgs.iptables}/bin/iptables -D INPUT -m set --match-set sshguard4 src -j DROP ${pkgs.iptables}/bin/ip6tables -D INPUT -m set --match-set sshguard6 src -j DROP + ${pkgs.ipset}/bin/ipset -quiet destroy sshguard4 + ${pkgs.ipset}/bin/ipset -quiet destroy sshguard6 ''; unitConfig.Documentation = "man:sshguard(8)"; |