From fd7b9b42912c4b2be3320f22f6e6e7d2a83e01b6 Mon Sep 17 00:00:00 2001
From: "William A. Kennington III" <william@wkennington.com>
Date: Mon, 15 Sep 2014 20:04:31 -0700
Subject: nixos/firewall: Don't allow traffic during reload

---
 nixos/modules/services/networking/firewall.nix | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

(limited to 'nixos/modules/services/networking/firewall.nix')

diff --git a/nixos/modules/services/networking/firewall.nix b/nixos/modules/services/networking/firewall.nix
index 42914bfe5d6..b97ec8b4d43 100644
--- a/nixos/modules/services/networking/firewall.nix
+++ b/nixos/modules/services/networking/firewall.nix
@@ -264,7 +264,7 @@ in
                      message = "This kernel does not support disabling conntrack helpers"; }
                  ];
 
-    systemd.services.firewall =
+    systemd.services.firewall = rec
       { description = "Firewall";
 
         wantedBy = [ "network.target" ];
@@ -277,8 +277,12 @@ in
         # better have all necessary modules already loaded.
         unitConfig.ConditionCapability = "CAP_NET_ADMIN";
 
-        serviceConfig.Type = "oneshot";
-        serviceConfig.RemainAfterExit = true;
+        reloadIfChanged = true;
+
+        serviceConfig = {
+          Type = "oneshot";
+          RemainAfterExit = true;
+        };
 
         script =
           ''
@@ -417,11 +421,17 @@ in
             ip46tables -A INPUT -j nixos-fw
           '';
 
+        reload = ''
+          ${helpers}
+          ip46tables -A INPUT -j DROP
+          ${script}
+          ip46tables -D INPUT -j DROP || true # extraCommands might delete the above rule and cause this to fail
+        '';
+
         postStop =
           ''
             ${helpers}
             ip46tables -D INPUT -j nixos-fw || true
-            #ip46tables -P INPUT ACCEPT
           '';
       };
 
-- 
cgit 1.4.1