nixos-module/container/upstream: provide NAT6 with noNat.subnets6
This commit is contained in:
parent
38da586d49
commit
03f755f841
|
@ -76,6 +76,12 @@ in
|
||||||
services.dnscache.enable = true;
|
services.dnscache.enable = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
upstream1.interfaces.up1.upstream.noNat.subnets6 = [
|
||||||
|
"2a02:8106:208:5200::/56"
|
||||||
|
];
|
||||||
|
upstream2.interfaces.up2.upstream.noNat.subnets6 = [
|
||||||
|
"2a02:8106:208:e900::/56"
|
||||||
|
];
|
||||||
upstream1.ospf.upstreamInstance = 3;
|
upstream1.ospf.upstreamInstance = 3;
|
||||||
upstream2.ospf.upstreamInstance = 4;
|
upstream2.ospf.upstreamInstance = 4;
|
||||||
anon1.ospf.upstreamInstance = 5;
|
anon1.ospf.upstreamInstance = 5;
|
||||||
|
|
|
@ -101,6 +101,11 @@ let
|
||||||
upBandwidth = mkOption {
|
upBandwidth = mkOption {
|
||||||
type = with types; nullOr int;
|
type = with types; nullOr int;
|
||||||
};
|
};
|
||||||
|
noNat.subnets6 = mkOption {
|
||||||
|
type = with types; listOf str;
|
||||||
|
default = [];
|
||||||
|
description = "Do not NAT66 traffic from these public static subnets";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
interfaceOpts = { name, ... }: {
|
interfaceOpts = { name, ... }: {
|
||||||
options = {
|
options = {
|
||||||
|
|
|
@ -1,9 +1,11 @@
|
||||||
{ hostName, config, lib, ... }:
|
{ hostName, config, lib, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
|
hostConf = config.site.hosts.${hostName};
|
||||||
|
|
||||||
upstreamInterfaces =
|
upstreamInterfaces =
|
||||||
lib.filterAttrs (_: { upstream, ... }: upstream != null)
|
lib.filterAttrs (_: { upstream, ... }: upstream != null)
|
||||||
config.site.hosts.${hostName}.interfaces;
|
hostConf.interfaces;
|
||||||
|
|
||||||
firstUpstreamInterface =
|
firstUpstreamInterface =
|
||||||
if builtins.length (builtins.attrNames upstreamInterfaces) > 0
|
if builtins.length (builtins.attrNames upstreamInterfaces) > 0
|
||||||
|
@ -46,6 +48,27 @@ in
|
||||||
enable = true;
|
enable = true;
|
||||||
internalInterfaces = [ "core" ];
|
internalInterfaces = [ "core" ];
|
||||||
externalInterface = firstUpstreamInterface;
|
externalInterface = firstUpstreamInterface;
|
||||||
inherit (config.site.hosts.${hostName}) forwardPorts;
|
# Provide IPv6 upstream for everyone, using NAT66 when not from
|
||||||
|
# our static prefixes
|
||||||
|
extraCommands =
|
||||||
|
builtins.concatStringsSep "\n" (
|
||||||
|
map (net: ''
|
||||||
|
ip6tables -t nat -X ${net}_nat || true
|
||||||
|
ip6tables -t nat -N ${net}_nat
|
||||||
|
${builtins.concatStringsSep "\n" (
|
||||||
|
map (subnet: ''
|
||||||
|
ip6tables -t nat -A ${net}_nat \
|
||||||
|
-s ${subnet} \
|
||||||
|
-j RETURN
|
||||||
|
'') upstreamInterfaces.${net}.upstream.noNat.subnets6
|
||||||
|
)}
|
||||||
|
ip6tables -t nat -A ${net}_nat -j MASQUERADE
|
||||||
|
|
||||||
|
ip6tables -t nat -A POSTROUTING \
|
||||||
|
-o ${net} \
|
||||||
|
-j ${net}_nat
|
||||||
|
'') (builtins.attrNames upstreamInterfaces)
|
||||||
|
);
|
||||||
|
inherit (hostConf) forwardPorts;
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue