forked from zentralwerk/network
nixos-module/container/upstream: remove a lot of stuff by using loopbackIPs for forwarded ports
This commit is contained in:
parent
48cbaf5f08
commit
8b6c7578e8
|
@ -60,54 +60,39 @@ in
|
|||
extraCommands =
|
||||
# Provide IPv6 upstream for everyone, using NAT66 when not from
|
||||
# our static prefixes
|
||||
builtins.concatStringsSep "\n" (
|
||||
map (net: ''
|
||||
ip6tables -t nat -N ${net}_nat || \
|
||||
ip6tables -t nat -F ${net}_nat
|
||||
${builtins.concatStringsSep "\n" (
|
||||
map (subnet: ''
|
||||
ip6tables -t nat -A ${net}_nat \
|
||||
-s ${subnet} \
|
||||
-j RETURN
|
||||
'') upstreamInterfaces.${net}.upstream.noNat.subnets6
|
||||
)}
|
||||
ip6tables -t nat -A ${net}_nat -j MASQUERADE
|
||||
lib.concatMapStringsSep "\n" (net: ''
|
||||
ip6tables -t nat -N ${net}_nat || \
|
||||
ip6tables -t nat -F ${net}_nat
|
||||
${lib.concatMapStringsSep "\n" (subnet: ''
|
||||
ip6tables -t nat -A ${net}_nat \
|
||||
-s ${subnet} \
|
||||
-j RETURN
|
||||
'') upstreamInterfaces.${net}.upstream.noNat.subnets6}
|
||||
ip6tables -t nat -A ${net}_nat -j MASQUERADE
|
||||
|
||||
ip6tables -t nat -A POSTROUTING \
|
||||
-o ${net} \
|
||||
-j ${net}_nat
|
||||
'') (builtins.attrNames upstreamInterfaces)
|
||||
) +
|
||||
# Do SNAT on connection attempts so that forwarded ports will
|
||||
# work from internal networks.
|
||||
''
|
||||
iptables -w -t nat -N nixos-nat-post-forward 2>/dev/null || \
|
||||
iptables -w -t nat -F nixos-nat-post-forward
|
||||
|
||||
${lib.concatMapStringsSep "\n" (net:
|
||||
let
|
||||
inherit (upstreamInterfaces.${net}.upstream) staticIpv4Address;
|
||||
in lib.optionalString (staticIpv4Address != null) ''
|
||||
iptables -w -t nat -I nixos-nat-post \
|
||||
-i core \
|
||||
--dest ${staticIpv4Address}/32 \
|
||||
-j nixos-nat-post-forward
|
||||
'') (builtins.attrNames upstreamInterfaces)}
|
||||
|
||||
${lib.concatMapStringsSep "\n" ({ proto, sourcePort, ... }: ''
|
||||
iptables -t nat -A nixos-nat-post-forward \
|
||||
-p ${proto} --dport ${toString sourcePort} \
|
||||
-j SNAT --to-source ${config.site.net.core.hosts4.${hostName}}
|
||||
'') hostConf.forwardPorts}
|
||||
'';
|
||||
ip6tables -t nat -A POSTROUTING \
|
||||
-o ${net} \
|
||||
-j ${net}_nat
|
||||
'') (builtins.attrNames upstreamInterfaces);
|
||||
extraStopCommands =
|
||||
builtins.concatStringsSep "\n" (
|
||||
map (net: ''
|
||||
ip6tables -t nat -F POSTROUTING 2>/dev/null || true
|
||||
ip6tables -t nat -F ${net}_nat 2>/dev/null || true
|
||||
ip6tables -t nat -X ${net}_nat 2>/dev/null || true
|
||||
'') (builtins.attrNames upstreamInterfaces)
|
||||
);
|
||||
inherit (hostConf) forwardPorts;
|
||||
lib.concatMapStringsSep "\n" (net: ''
|
||||
ip6tables -t nat -F POSTROUTING 2>/dev/null || true
|
||||
ip6tables -t nat -F ${net}_nat 2>/dev/null || true
|
||||
ip6tables -t nat -X ${net}_nat 2>/dev/null || true
|
||||
'') (builtins.attrNames upstreamInterfaces);
|
||||
|
||||
forwardPorts = map ({ destination, sourcePort, ... }@forwardedPort:
|
||||
forwardedPort // {
|
||||
destination =
|
||||
if builtins.match ".*:.*" destination != null
|
||||
then destination
|
||||
else "${destination}:${toString sourcePort}";
|
||||
loopbackIPs = builtins.filter (ip: ip != null) (
|
||||
map (net:
|
||||
upstreamInterfaces.${net}.upstream.staticIpv4Address
|
||||
) (builtins.attrNames upstreamInterfaces)
|
||||
);
|
||||
}
|
||||
) hostConf.forwardPorts;
|
||||
};
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue