firewall.nix: Don't make missing rpfilter support a fatal error

This makes upgrading from Linux 3.2 to 3.4 a bit nicer.
2025-01-30 16:53:40 +00:00 · 2013-09-10 14:58:12 +02:00 · 2013-09-10 14:58:12 +02:00 · 94bb48be78
commit 94bb48be78
parent 71365b7478
1 changed files with 3 additions and 1 deletions
--- a/modules/services/networking/firewall.nix
+++ b/modules/services/networking/firewall.nix
@ -298,7 +298,9 @@ in
            # Perform a reverse-path test to refuse spoofers
            # For now, we just drop, as the raw table doesn't have a log-refuse yet
            ${optionalString (kernelHasRPFilter && cfg.checkReversePath) ''
-              ip46tables -A PREROUTING -t raw -m rpfilter --invert -j DROP
+              if ! ip46tables -A PREROUTING -t raw -m rpfilter --invert -j DROP; then
+                echo "<2>failed to initialise rpfilter support" >&2
+              fi
            ''}

            # Accept all traffic on the trusted interfaces.