forked from zentralwerk/network
upstream: disable NAT reflection for DNS port forwards
This commit is contained in:
parent
739d6fefaa
commit
2c3c0fa13c
|
@ -209,11 +209,13 @@ in
|
|||
destination = config.site.net.serv.hosts4.bind;
|
||||
proto = "tcp";
|
||||
sourcePort = 53;
|
||||
reflect = false;
|
||||
}
|
||||
{
|
||||
destination = config.site.net.serv.hosts4.bind;
|
||||
proto = "udp";
|
||||
sourcePort = 53;
|
||||
reflect = false;
|
||||
}
|
||||
{
|
||||
destination = config.site.net.c3d2.hosts4.dn42;
|
||||
|
|
|
@ -230,6 +230,20 @@ let
|
|||
destination = mkOption {
|
||||
type = types.str;
|
||||
};
|
||||
reflect = mkOption {
|
||||
type = types.bool;
|
||||
default = true;
|
||||
description = ''
|
||||
Enable NAT reflection
|
||||
|
||||
Any forwarded connection will have our static IPv4
|
||||
address as source so that forwarded services become
|
||||
available internally.
|
||||
|
||||
Unfortunately, this breaks identification by IPv4
|
||||
adress.
|
||||
'';
|
||||
};
|
||||
}; });
|
||||
default = [];
|
||||
};
|
||||
|
|
|
@ -81,17 +81,20 @@ in
|
|||
ip6tables -t nat -X ${net}_nat 2>/dev/null || true
|
||||
'') (builtins.attrNames upstreamInterfaces);
|
||||
|
||||
forwardPorts = map ({ destination, sourcePort, ... }@forwardedPort:
|
||||
forwardPorts = map ({ destination, sourcePort, reflect, ... }@forwardedPort:
|
||||
forwardedPort // {
|
||||
destination =
|
||||
if builtins.match ".*:.*" destination != null
|
||||
then destination
|
||||
else "${destination}:${toString sourcePort}";
|
||||
loopbackIPs = builtins.filter (ip: ip != null) (
|
||||
map (net:
|
||||
upstreamInterfaces.${net}.upstream.staticIpv4Address
|
||||
) (builtins.attrNames upstreamInterfaces)
|
||||
);
|
||||
loopbackIPs =
|
||||
if reflect
|
||||
then builtins.filter (ip: ip != null) (
|
||||
map (net:
|
||||
upstreamInterfaces.${net}.upstream.staticIpv4Address
|
||||
) (builtins.attrNames upstreamInterfaces)
|
||||
)
|
||||
else [];
|
||||
}
|
||||
) hostConf.forwardPorts;
|
||||
};
|
||||
|
|
Loading…
Reference in New Issue