From 6c4c86e4a5d247dea382fef1eab38466bdcf2b8b Mon Sep 17 00:00:00 2001
From: Astro <astro@spaceboyz.net>
Date: Wed, 7 Jun 2023 23:00:50 +0200
Subject: [PATCH] nixos-module/container/upstream: flush conntrack states after
 nat startup

---
 nix/nixos-module/container/upstream.nix | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/nix/nixos-module/container/upstream.nix b/nix/nixos-module/container/upstream.nix
index 05e0142..082fb66 100644
--- a/nix/nixos-module/container/upstream.nix
+++ b/nix/nixos-module/container/upstream.nix
@@ -1,4 +1,4 @@
-{ hostName, config, lib, ... }:
+{ hostName, config, lib, pkgs, ... }:
 
 let
   hostConf = config.site.hosts.${hostName};
@@ -126,6 +126,10 @@ in
               -j RETURN
           '') upstreamInterfaces.${net}.upstream.noNat.subnets6
        ) (builtins.attrNames upstreamInterfaces)}
+
+      # There just have been moments without a complete ruleset. Flush
+      # out invalid conntrack states!
+      ${pkgs.conntrack-tools}/bin/conntrack -F
     '';
     extraStopCommands = ''
       iptables -F FORWARD 2>/dev/null || true