nixos-module/container/upstream: provide NAT6 with noNat.subnets6

This commit is contained in:
Astro 2021-05-01 01:14:54 +02:00
parent 38da586d49
commit 03f755f841
3 changed files with 36 additions and 2 deletions

View File

@ -76,6 +76,12 @@ in
services.dnscache.enable = true;
};
upstream1.interfaces.up1.upstream.noNat.subnets6 = [
"2a02:8106:208:5200::/56"
];
upstream2.interfaces.up2.upstream.noNat.subnets6 = [
"2a02:8106:208:e900::/56"
];
upstream1.ospf.upstreamInstance = 3;
upstream2.ospf.upstreamInstance = 4;
anon1.ospf.upstreamInstance = 5;

View File

@ -101,6 +101,11 @@ let
upBandwidth = mkOption {
type = with types; nullOr int;
};
noNat.subnets6 = mkOption {
type = with types; listOf str;
default = [];
description = "Do not NAT66 traffic from these public static subnets";
};
};
interfaceOpts = { name, ... }: {
options = {

View File

@ -1,9 +1,11 @@
{ hostName, config, lib, ... }:
let
hostConf = config.site.hosts.${hostName};
upstreamInterfaces =
lib.filterAttrs (_: { upstream, ... }: upstream != null)
config.site.hosts.${hostName}.interfaces;
hostConf.interfaces;
firstUpstreamInterface =
if builtins.length (builtins.attrNames upstreamInterfaces) > 0
@ -46,6 +48,27 @@ in
enable = true;
internalInterfaces = [ "core" ];
externalInterface = firstUpstreamInterface;
inherit (config.site.hosts.${hostName}) forwardPorts;
# Provide IPv6 upstream for everyone, using NAT66 when not from
# our static prefixes
extraCommands =
builtins.concatStringsSep "\n" (
map (net: ''
ip6tables -t nat -X ${net}_nat || true
ip6tables -t nat -N ${net}_nat
${builtins.concatStringsSep "\n" (
map (subnet: ''
ip6tables -t nat -A ${net}_nat \
-s ${subnet} \
-j RETURN
'') upstreamInterfaces.${net}.upstream.noNat.subnets6
)}
ip6tables -t nat -A ${net}_nat -j MASQUERADE
ip6tables -t nat -A POSTROUTING \
-o ${net} \
-j ${net}_nat
'') (builtins.attrNames upstreamInterfaces)
);
inherit (hostConf) forwardPorts;
};
}