nixos-module/container/upstream: fix SNAT by adding a staticIpv4Address option

2021-09-06 22:58:52 +02:00 · 2021-09-06 22:58:52 +02:00 · 1b4f761de8
parent fd4c8ad65b
commit 1b4f761de8
3 changed files with 35 additions and 25 deletions
--- a/nix/lib/config/legacy.nix
+++ b/nix/lib/config/legacy.nix
@ -149,6 +149,7 @@ in
        upstream1.interfaces.up1.upstream = {
          provider = "vodafone";
          staticIpv4Address = "24.134.104.53";
          noNat.subnets6 = [
            "2a02:8106:208:5200::/56"
          ];
@ -165,6 +166,7 @@ in
          upstream = {
            provider = "dsi";
            link = "up4";
            staticIpv4Address = "81.201.149.152";
            upBandwidth = 98000;
            noNat.subnets6 = [
              "2a00:8180:2000:37::1/128"
--- a/nix/lib/config/options.nix
+++ b/nix/lib/config/options.nix
@ -111,6 +111,9 @@ let
      default = null;
      description = "Underlying interface name for eg. PPPoE";
    };
    staticIpv4Address = mkOption {
      type = with types; nullOr str;
    };
    upBandwidth = mkOption {
      type = with types; nullOr int;
      default = null;
--- a/nix/nixos-module/container/upstream.nix
+++ b/nix/nixos-module/container/upstream.nix
@ -77,32 +77,37 @@ in
            -j ${net}_nat
        '') (builtins.attrNames upstreamInterfaces)
      ) +
-      # Do SNAT on connection attempts so that the actual return path
+      # Do SNAT on connection attempts so that forwarded ports will
-      # won't matter. Forwarded ports will work from internal networks
+      # work from internal networks.
-      # and on services that have Internet through another upstream routers.
+      ''
-      builtins.concatStringsSep "\n" (
+        iptables -w -t nat -N nixos-nat-post-forward 2>/dev/null || \
-        map ({ proto, destination, sourcePort, ... }:
+          iptables -w -t nat -F nixos-nat-post-forward
        ${lib.concatMapStringsSep "\n" (net:
          let
-            ds = builtins.split ":" destination;
+            inherit (upstreamInterfaces.${net}.upstream) staticIpv4Address;
-            ds' =
+          in lib.optionalString (staticIpv4Address != null) ''
-              if builtins.length ds == 3
+            iptables -w -t nat -A nixos-nat-post \
-              then {
+              --source 172.20.0.0/14 \
-                dest = lib.elemAt ds 0;
+              --dest ${staticIpv4Address}/32 \
-                port = lib.elemAt ds 2;
+              -j nixos-nat-post-forward
-              }
+          '') (builtins.attrNames upstreamInterfaces)}
-              else if builtins.length ds == 1
+
-              then {
+        ${lib.concatMapStringsSep "\n" ({ proto, destination, sourcePort, ... }:
-                dest = lib.elemAt ds 0;
+            let
-                port = toString sourcePort;
+              ds = builtins.split ":" destination;
-              }
+              port =
-              else throw "Too many colons in a forwardPorts destination";
+                if builtins.length ds == 3
-            inherit (ds') dest port;
+                then lib.elemAt ds 2
-          in ''
+                else if builtins.length ds == 1
-            iptables -t nat -A nixos-nat-post \
+                then toString sourcePort
-              -p ${proto} --dest ${dest} --dport ${port} \
+                else throw "Too many colons in a forwardPorts destination";
-              -j SNAT --to-source ${config.site.net.core.hosts4.${hostName}}
+            in ''
-        '') hostConf.forwardPorts
+              iptables -t nat -A nixos-nat-post-forward \
-      );
+                -p ${proto} --dport ${port} \
                -j SNAT --to-source ${config.site.net.core.hosts4.${hostName}}
        '') hostConf.forwardPorts}
      '';
    extraStopCommands =
      builtins.concatStringsSep "\n" (
        map (net: ''