commit 7b1e146a49051ef404a82c69ec3b7d7f9d36ede9 · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs

lol

fork atom

Merge pull request #266477 from duament/nixos-nat-nftables

nixos/nat: fix nat-nftables

authored by Maciej Krüger and committed by GitHub 2 years ago 7b1e146a 6a414628

+6 -25

1 changed file

expand all

unified split

nixos

modules

services

networking

nat-nftables.nix

+6 -25

nixos/modules/services/networking/nat-nftables.nix

··· 1 - { config, lib, pkgs, ... }: 2 3 with lib; 4 ··· 35 36 mkTable = { ipVer, dest, ipSet, forwardPorts, dmzHost }: 37 let 38 - # nftables does not support both port and port range as values in a dnat map. 39 - # e.g. "dnat th dport map { 80 : 10.0.0.1 . 80, 443 : 10.0.0.2 . 900-1000 }" 40 - # So we split them. 41 - fwdPorts = filter (x: length (splitString "-" x.destination) == 1) forwardPorts; 42 - fwdPortsRange = filter (x: length (splitString "-" x.destination) > 1) forwardPorts; 43 - 44 # nftables maps for port forward 45 # l4proto . dport : addr . port 46 - toFwdMap = forwardPorts: toNftSet (map 47 (fwd: 48 with (splitIPPorts fwd.destination); 49 "${fwd.proto} . ${toNftRange fwd.sourcePort} : ${IP} . ${ports}" 50 ) 51 forwardPorts); 52 - fwdMap = toFwdMap fwdPorts; 53 - fwdRangeMap = toFwdMap fwdPortsRange; 54 55 # nftables maps for port forward loopback dnat 56 # daddr . l4proto . dport : addr . port 57 - toFwdLoopDnatMap = forwardPorts: toNftSet (concatMap 58 (fwd: map 59 (loopbackip: 60 with (splitIPPorts fwd.destination); ··· 62 ) 63 fwd.loopbackIPs) 64 forwardPorts); 65 - fwdLoopDnatMap = toFwdLoopDnatMap fwdPorts; 66 - fwdLoopDnatRangeMap = toFwdLoopDnatMap fwdPortsRange; 67 68 # nftables set for port forward loopback snat 69 # daddr . l4proto . dport ··· 79 type nat hook prerouting priority dstnat; 80 81 ${optionalString (fwdMap != "") '' 82 - iifname "${cfg.externalInterface}" dnat meta l4proto . th dport map { ${fwdMap} } comment "port forward" 83 - ''} 84 - ${optionalString (fwdRangeMap != "") '' 85 - iifname "${cfg.externalInterface}" dnat meta l4proto . th dport map { ${fwdRangeMap} } comment "port forward" 86 ''} 87 88 ${optionalString (fwdLoopDnatMap != "") '' 89 - dnat ${ipVer} daddr . meta l4proto . th dport map { ${fwdLoopDnatMap} } comment "port forward loopback from other hosts behind NAT" 90 - ''} 91 - ${optionalString (fwdLoopDnatRangeMap != "") '' 92 - dnat ${ipVer} daddr . meta l4proto . th dport map { ${fwdLoopDnatRangeMap} } comment "port forward loopback from other hosts behind NAT" 93 ''} 94 95 ${optionalString (dmzHost != null) '' ··· 116 type nat hook output priority mangle; 117 118 ${optionalString (fwdLoopDnatMap != "") '' 119 - dnat ${ipVer} daddr . meta l4proto . th dport map { ${fwdLoopDnatMap} } comment "port forward loopback from the host itself" 120 - ''} 121 - ${optionalString (fwdLoopDnatRangeMap != "") '' 122 - dnat ${ipVer} daddr . meta l4proto . th dport map { ${fwdLoopDnatRangeMap} } comment "port forward loopback from the host itself" 123 ''} 124 } 125 '';

··· 1 + { config, lib, ... }: 2 3 with lib; 4 ··· 35 36 mkTable = { ipVer, dest, ipSet, forwardPorts, dmzHost }: 37 let 38 # nftables maps for port forward 39 # l4proto . dport : addr . port 40 + fwdMap = toNftSet (map 41 (fwd: 42 with (splitIPPorts fwd.destination); 43 "${fwd.proto} . ${toNftRange fwd.sourcePort} : ${IP} . ${ports}" 44 ) 45 forwardPorts); 46 47 # nftables maps for port forward loopback dnat 48 # daddr . l4proto . dport : addr . port 49 + fwdLoopDnatMap = toNftSet (concatMap 50 (fwd: map 51 (loopbackip: 52 with (splitIPPorts fwd.destination); ··· 54 ) 55 fwd.loopbackIPs) 56 forwardPorts); 57 58 # nftables set for port forward loopback snat 59 # daddr . l4proto . dport ··· 69 type nat hook prerouting priority dstnat; 70 71 ${optionalString (fwdMap != "") '' 72 + iifname "${cfg.externalInterface}" meta l4proto { tcp, udp } dnat meta l4proto . th dport map { ${fwdMap} } comment "port forward" 73 ''} 74 75 ${optionalString (fwdLoopDnatMap != "") '' 76 + meta l4proto { tcp, udp } dnat ${ipVer} daddr . meta l4proto . th dport map { ${fwdLoopDnatMap} } comment "port forward loopback from other hosts behind NAT" 77 ''} 78 79 ${optionalString (dmzHost != null) '' ··· 100 type nat hook output priority mangle; 101 102 ${optionalString (fwdLoopDnatMap != "") '' 103 + meta l4proto { tcp, udp } dnat ${ipVer} daddr . meta l4proto . th dport map { ${fwdLoopDnatMap} } comment "port forward loopback from the host itself" 104 ''} 105 } 106 '';