From 2c3c0fa13caa0e1c36e5ef718264c3e50bac74e8 Mon Sep 17 00:00:00 2001
From: Astro <astro@spaceboyz.net>
Date: Sat, 16 Oct 2021 23:56:32 +0200
Subject: [PATCH] upstream: disable NAT reflection for DNS port forwards

---
 nix/lib/config/legacy.nix               |  2 ++
 nix/lib/config/options.nix              | 14 ++++++++++++++
 nix/nixos-module/container/upstream.nix | 15 +++++++++------
 3 files changed, 25 insertions(+), 6 deletions(-)

diff --git a/nix/lib/config/legacy.nix b/nix/lib/config/legacy.nix
index 88cc5e0..0b1990e 100644
--- a/nix/lib/config/legacy.nix
+++ b/nix/lib/config/legacy.nix
@@ -209,11 +209,13 @@ in
             destination = config.site.net.serv.hosts4.bind;
             proto = "tcp";
             sourcePort = 53;
+            reflect = false;
           }
           {
             destination = config.site.net.serv.hosts4.bind;
             proto = "udp";
             sourcePort = 53;
+            reflect = false;
           }
           {
             destination = config.site.net.c3d2.hosts4.dn42;
diff --git a/nix/lib/config/options.nix b/nix/lib/config/options.nix
index 99eec55..f5a51a9 100644
--- a/nix/lib/config/options.nix
+++ b/nix/lib/config/options.nix
@@ -230,6 +230,20 @@ let
           destination = mkOption {
             type = types.str;
           };
+          reflect = mkOption {
+            type = types.bool;
+            default = true;
+            description = ''
+              Enable NAT reflection
+
+              Any forwarded connection will have our static IPv4
+              address as source so that forwarded services become
+              available internally.
+
+              Unfortunately, this breaks identification by IPv4
+              adress.
+            '';
+          };
         }; });
         default = [];
       };
diff --git a/nix/nixos-module/container/upstream.nix b/nix/nixos-module/container/upstream.nix
index 3efad3b..9a8ca86 100644
--- a/nix/nixos-module/container/upstream.nix
+++ b/nix/nixos-module/container/upstream.nix
@@ -81,17 +81,20 @@ in
         ip6tables -t nat -X ${net}_nat 2>/dev/null || true
       '') (builtins.attrNames upstreamInterfaces);
 
-    forwardPorts = map ({ destination, sourcePort, ... }@forwardedPort:
+    forwardPorts = map ({ destination, sourcePort, reflect, ... }@forwardedPort:
       forwardedPort // {
         destination =
           if builtins.match ".*:.*" destination != null
           then destination
           else "${destination}:${toString sourcePort}";
-        loopbackIPs = builtins.filter (ip: ip != null) (
-          map (net:
-            upstreamInterfaces.${net}.upstream.staticIpv4Address
-          ) (builtins.attrNames upstreamInterfaces)
-        );
+        loopbackIPs =
+          if reflect
+          then builtins.filter (ip: ip != null) (
+            map (net:
+              upstreamInterfaces.${net}.upstream.staticIpv4Address
+            ) (builtins.attrNames upstreamInterfaces)
+          )
+          else [];
       }
     ) hostConf.forwardPorts;
   };