pyrox.dev
Merge pull request #266477 from duament/nixos-nat-nftables
nixos/nat: fix nat-nftables
authored by Maciej Krüger and committed by GitHub 7b1e146a 6a414628
+6
-25
nixos/modules/services/networking/nat-nftables.nix
+6
-25
nixos/modules/services/networking/nat-nftables.nix
···
1
-
{ config, lib, pkgs, ... }:
1
+
{ config, lib, ... }:
2
2
3
3
with lib;
4
4
···
35
35
36
36
mkTable = { ipVer, dest, ipSet, forwardPorts, dmzHost }:
37
37
let
38
-
# nftables does not support both port and port range as values in a dnat map.
39
-
# e.g. "dnat th dport map { 80 : 10.0.0.1 . 80, 443 : 10.0.0.2 . 900-1000 }"
40
-
# So we split them.
41
-
fwdPorts = filter (x: length (splitString "-" x.destination) == 1) forwardPorts;
42
-
fwdPortsRange = filter (x: length (splitString "-" x.destination) > 1) forwardPorts;
43
-
44
38
# nftables maps for port forward
45
39
# l4proto . dport : addr . port
46
-
toFwdMap = forwardPorts: toNftSet (map
40
+
fwdMap = toNftSet (map
47
41
(fwd:
48
42
with (splitIPPorts fwd.destination);
49
43
"${fwd.proto} . ${toNftRange fwd.sourcePort} : ${IP} . ${ports}"
50
44
)
51
45
forwardPorts);
52
-
fwdMap = toFwdMap fwdPorts;
53
-
fwdRangeMap = toFwdMap fwdPortsRange;
54
46
55
47
# nftables maps for port forward loopback dnat
56
48
# daddr . l4proto . dport : addr . port
57
-
toFwdLoopDnatMap = forwardPorts: toNftSet (concatMap
49
+
fwdLoopDnatMap = toNftSet (concatMap
58
50
(fwd: map
59
51
(loopbackip:
60
52
with (splitIPPorts fwd.destination);
···
62
54
)
63
55
fwd.loopbackIPs)
64
56
forwardPorts);
65
-
fwdLoopDnatMap = toFwdLoopDnatMap fwdPorts;
66
-
fwdLoopDnatRangeMap = toFwdLoopDnatMap fwdPortsRange;
67
57
68
58
# nftables set for port forward loopback snat
69
59
# daddr . l4proto . dport
···
79
69
type nat hook prerouting priority dstnat;
80
70
81
71
${optionalString (fwdMap != "") ''
82
-
iifname "${cfg.externalInterface}" dnat meta l4proto . th dport map { ${fwdMap} } comment "port forward"
83
-
''}
84
-
${optionalString (fwdRangeMap != "") ''
85
-
iifname "${cfg.externalInterface}" dnat meta l4proto . th dport map { ${fwdRangeMap} } comment "port forward"
72
+
iifname "${cfg.externalInterface}" meta l4proto { tcp, udp } dnat meta l4proto . th dport map { ${fwdMap} } comment "port forward"
86
73
''}
87
74
88
75
${optionalString (fwdLoopDnatMap != "") ''
89
-
dnat ${ipVer} daddr . meta l4proto . th dport map { ${fwdLoopDnatMap} } comment "port forward loopback from other hosts behind NAT"
90
-
''}
91
-
${optionalString (fwdLoopDnatRangeMap != "") ''
92
-
dnat ${ipVer} daddr . meta l4proto . th dport map { ${fwdLoopDnatRangeMap} } comment "port forward loopback from other hosts behind NAT"
76
+
meta l4proto { tcp, udp } dnat ${ipVer} daddr . meta l4proto . th dport map { ${fwdLoopDnatMap} } comment "port forward loopback from other hosts behind NAT"
93
77
''}
94
78
95
79
${optionalString (dmzHost != null) ''
···
116
100
type nat hook output priority mangle;
117
101
118
102
${optionalString (fwdLoopDnatMap != "") ''
119
-
dnat ${ipVer} daddr . meta l4proto . th dport map { ${fwdLoopDnatMap} } comment "port forward loopback from the host itself"
120
-
''}
121
-
${optionalString (fwdLoopDnatRangeMap != "") ''
122
-
dnat ${ipVer} daddr . meta l4proto . th dport map { ${fwdLoopDnatRangeMap} } comment "port forward loopback from the host itself"
103
+
meta l4proto { tcp, udp } dnat ${ipVer} daddr . meta l4proto . th dport map { ${fwdLoopDnatMap} } comment "port forward loopback from the host itself"
123
104
''}
124
105
}
125
106
'';