From 9c503fbefba8e4f17efcb65041695cae34d39c18 Mon Sep 17 00:00:00 2001
From: Rodrigo Arias Mallo <rodrigo.arias@bsc.es>
Date: Fri, 11 Apr 2025 10:23:26 +0200
Subject: [PATCH] Clean all iptables rules on stop
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Prevents the "iptables: Chain already exists." error by making sure that
we don't leave any chain on start. The ideal solution is to use
iptables-restore instead, which will do the right job. But this needs to
be changed in NixOS entirely.

Reviewed-by: Aleix Boné <abonerib@bsc.es>
---
 m/hut/configuration.nix | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/m/hut/configuration.nix b/m/hut/configuration.nix
index 66cc8811..b00351de 100644
--- a/m/hut/configuration.nix
+++ b/m/hut/configuration.nix
@@ -56,6 +56,11 @@
         iptables -A nixos-fw -p tcp -s 10.0.40.30 --dport 23080 -j nixos-fw-log-refuse
         iptables -A nixos-fw -p tcp -s 10.0.40.0/24 --dport 23080 -j nixos-fw-accept
       '';
+      # Flush all rules and chains on stop so it won't break on start
+      extraStopCommands = ''
+        iptables -F
+        iptables -X
+      '';
     };
   };