diff options
author | Peter Hoeg <peter@hoeg.com> | 2020-11-26 15:16:51 +0800 |
---|---|---|
committer | Peter Hoeg <peter@hoeg.com> | 2020-12-11 16:19:45 +0800 |
commit | aa995fb0b7c75c53e2a5392ea49ee1e0474294b1 (patch) | |
tree | b9f571d7944d69fac5c913f79b95a63ad731bed3 /nixos/modules | |
parent | 9a39c1be2ccf10834a349ac92e8384fe8ef1ca27 (diff) |
nixos/sshguard: do not do IPv6 setup/teardown unconditionally
Diffstat (limited to 'nixos/modules')
-rw-r--r-- | nixos/modules/services/security/sshguard.nix | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/nixos/modules/services/security/sshguard.nix b/nixos/modules/services/security/sshguard.nix index e7a9cefdef30..72de11a9254c 100644 --- a/nixos/modules/services/security/sshguard.nix +++ b/nixos/modules/services/security/sshguard.nix @@ -119,15 +119,17 @@ in { # firewall rules before sshguard starts. preStart = optionalString config.networking.firewall.enable '' ${pkgs.ipset}/bin/ipset -quiet create -exist sshguard4 hash:net family inet - ${pkgs.ipset}/bin/ipset -quiet create -exist sshguard6 hash:net family inet6 ${pkgs.iptables}/bin/iptables -I INPUT -m set --match-set sshguard4 src -j DROP + '' + optionalString (config.networking.firewall.enable && config.networking.enableIPv6) '' + ${pkgs.ipset}/bin/ipset -quiet create -exist sshguard6 hash:net family inet6 ${pkgs.iptables}/bin/ip6tables -I INPUT -m set --match-set sshguard6 src -j DROP ''; postStop = optionalString config.networking.firewall.enable '' ${pkgs.iptables}/bin/iptables -D INPUT -m set --match-set sshguard4 src -j DROP - ${pkgs.iptables}/bin/ip6tables -D INPUT -m set --match-set sshguard6 src -j DROP ${pkgs.ipset}/bin/ipset -quiet destroy sshguard4 + '' + optionalString (config.networking.firewall.enable && config.networking.enableIPv6) '' + ${pkgs.iptables}/bin/ip6tables -D INPUT -m set --match-set sshguard6 src -j DROP ${pkgs.ipset}/bin/ipset -quiet destroy sshguard6 ''; |