forked from zentralwerk/network
nixos-module/container/upstream: try making upstream.noNat.subnets6 actually work
This commit is contained in:
parent
a113f2d4fa
commit
2765dd05e2
|
@ -102,20 +102,14 @@ in
|
||||||
|
|
||||||
# Provide IPv6 upstream for everyone, using NAT66 when not from
|
# Provide IPv6 upstream for everyone, using NAT66 when not from
|
||||||
# our static prefixes
|
# our static prefixes
|
||||||
${lib.concatMapStringsSep "\n" (net: ''
|
${lib.concatMapStringsSep "\n" (net:
|
||||||
ip6tables -t nat -N ${net}_nat || \
|
lib.concatMapStrings (subnet: ''
|
||||||
ip6tables -t nat -F ${net}_nat
|
ip6tables -t nat -I nixos-nat-post \
|
||||||
${lib.concatMapStringsSep "\n" (subnet: ''
|
-o ${net} \
|
||||||
ip6tables -t nat -A ${net}_nat \
|
-s ${subnet} \
|
||||||
-s ${subnet} \
|
-j RETURN
|
||||||
-j RETURN
|
'') upstreamInterfaces.${net}.upstream.noNat.subnets6
|
||||||
'') upstreamInterfaces.${net}.upstream.noNat.subnets6}
|
) (builtins.attrNames upstreamInterfaces)}
|
||||||
ip6tables -t nat -A ${net}_nat -j MASQUERADE
|
|
||||||
|
|
||||||
ip6tables -t nat -A POSTROUTING \
|
|
||||||
-o ${net} \
|
|
||||||
-j ${net}_nat
|
|
||||||
'') (builtins.attrNames upstreamInterfaces)}
|
|
||||||
'';
|
'';
|
||||||
extraStopCommands = ''
|
extraStopCommands = ''
|
||||||
iptables -F FORWARD 2>/dev/null || true
|
iptables -F FORWARD 2>/dev/null || true
|
||||||
|
|
Loading…
Reference in New Issue
Block a user