nixos-module/container/upstream: provide NAT6 with noNat.subnets6

2021-05-01 01:14:54 +02:00 · 2021-05-01 01:14:54 +02:00 · 03f755f841
parent 38da586d49
commit 03f755f841
3 changed files with 36 additions and 2 deletions
--- a/nix/lib/config/legacy.nix
+++ b/nix/lib/config/legacy.nix
@ -76,6 +76,12 @@ in
          services.dnscache.enable = true;
        };

+        upstream1.interfaces.up1.upstream.noNat.subnets6 = [
+          "2a02:8106:208:5200::/56"
+        ];
+        upstream2.interfaces.up2.upstream.noNat.subnets6 = [
+          "2a02:8106:208:e900::/56"
+        ];
        upstream1.ospf.upstreamInstance = 3;
        upstream2.ospf.upstreamInstance = 4;
        anon1.ospf.upstreamInstance = 5;
--- a/nix/lib/config/options.nix
+++ b/nix/lib/config/options.nix
@ -101,6 +101,11 @@ let
    upBandwidth = mkOption {
      type = with types; nullOr int;
    };
+    noNat.subnets6 = mkOption {
+      type = with types; listOf str;
+      default = [];
+      description = "Do not NAT66 traffic from these public static subnets";
+    };
  };
  interfaceOpts = { name, ... }: {
    options = {
--- a/nix/nixos-module/container/upstream.nix
+++ b/nix/nixos-module/container/upstream.nix
@ -1,9 +1,11 @@
 { hostName, config, lib, ... }:

 let
+  hostConf = config.site.hosts.${hostName};
+
  upstreamInterfaces =
    lib.filterAttrs (_: { upstream, ... }: upstream != null)
-      config.site.hosts.${hostName}.interfaces;
+      hostConf.interfaces;

  firstUpstreamInterface =
    if builtins.length (builtins.attrNames upstreamInterfaces) > 0
@ -46,6 +48,27 @@ in
    enable = true;
    internalInterfaces = [ "core" ];
    externalInterface = firstUpstreamInterface;
-    inherit (config.site.hosts.${hostName}) forwardPorts;
+    # Provide IPv6 upstream for everyone, using NAT66 when not from
+    # our static prefixes
+    extraCommands =
+      builtins.concatStringsSep "\n" (
+        map (net: ''
+          ip6tables -t nat -X ${net}_nat || true
+          ip6tables -t nat -N ${net}_nat
+          ${builtins.concatStringsSep "\n" (
+            map (subnet: ''
+              ip6tables -t nat -A ${net}_nat \
+                -s ${subnet} \
+                -j RETURN
+            '') upstreamInterfaces.${net}.upstream.noNat.subnets6
+          )}
+          ip6tables -t nat -A ${net}_nat -j MASQUERADE
+
+          ip6tables -t nat -A POSTROUTING \
+            -o ${net} \
+            -j ${net}_nat
+        '') (builtins.attrNames upstreamInterfaces)
+      );
+    inherit (hostConf) forwardPorts;
  };
 }