From a49c2366efad78d296375b7c17065cacee3c3975 Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Mon, 29 May 2017 17:24:27 +0200
Subject: [PATCH] nixos/firewall: clean up rpfilter rules properly

The rpfilter rules wouldn't be removed if it was previously enabled
but disabled in a new generation.
---
 nixos/modules/services/networking/firewall.nix | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/nixos/modules/services/networking/firewall.nix b/nixos/modules/services/networking/firewall.nix
index 243cd04c96c2..68a814b23053 100644
--- a/nixos/modules/services/networking/firewall.nix
+++ b/nixos/modules/services/networking/firewall.nix
@@ -114,14 +114,15 @@ let
     # The "nixos-fw" chain does the actual work.
     ip46tables -N nixos-fw
 
-    # Perform a reverse-path test to refuse spoofers
-    # For now, we just drop, as the raw table doesn't have a log-refuse yet
-    ${optionalString (kernelHasRPFilter && (cfg.checkReversePath != false)) ''
-      # Clean up rpfilter rules
-      ip46tables -t raw -D PREROUTING -j nixos-fw-rpfilter 2> /dev/null || true
-      ip46tables -t raw -F nixos-fw-rpfilter 2> /dev/null || true
-      ip46tables -t raw -N nixos-fw-rpfilter 2> /dev/null || true
+    # Clean up rpfilter rules
+    ip46tables -t raw -D PREROUTING -j nixos-fw-rpfilter 2> /dev/null || true
+    ip46tables -t raw -F nixos-fw-rpfilter 2> /dev/null || true
+    ip46tables -t raw -X nixos-fw-rpfilter 2> /dev/null || true
 
+    ${optionalString (kernelHasRPFilter && (cfg.checkReversePath != false)) ''
+      # Perform a reverse-path test to refuse spoofers
+      # For now, we just drop, as the raw table doesn't have a log-refuse yet
+      ip46tables -t raw -N nixos-fw-rpfilter 2> /dev/null || true
       ip46tables -t raw -A nixos-fw-rpfilter -m rpfilter ${optionalString (cfg.checkReversePath == "loose") "--loose"} -j RETURN
 
       # Allows this host to act as a DHCPv4 server