From b81aa02800795724fe0a01e7544c49b04a40994a Mon Sep 17 00:00:00 2001 From: Nikolay Amiantov Date: Tue, 17 Apr 2018 12:40:05 +0300 Subject: [PATCH] firewall service: run stop commands in reload Do cleanup of user-created additional rules. Of course it'd be much better to just use iptables-{save,restore} for declarative management, but as it's still not there... --- nixos/modules/services/networking/firewall.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/nixos/modules/services/networking/firewall.nix b/nixos/modules/services/networking/firewall.nix index 20c0b0acf165..c4bd0e7f9eef 100644 --- a/nixos/modules/services/networking/firewall.nix +++ b/nixos/modules/services/networking/firewall.nix @@ -242,6 +242,9 @@ let # Don't allow traffic to leak out until the script has completed ip46tables -A INPUT -j nixos-drop + + ${cfg.extraStopCommands} + if ${startScript}; then ip46tables -D INPUT -j nixos-drop 2>/dev/null || true else