flpk-gw: implement upstream.noNat.subnets4

2022-09-18 01:42:34 +02:00 · 2022-09-18 01:42:34 +02:00 · 05641a7f74
parent f8c1c17a1d
commit 05641a7f74
3 changed files with 16 additions and 1 deletions
--- a/config/net/flpk.nix
+++ b/config/net/flpk.nix
@ -22,11 +22,14 @@
        hwaddr = "0A:14:48:01:16:01";
        type = "veth";
      };
-      # "45.158.40.160/27" "2a0f:5382:acab:1400::1/56"
      up-flpk = {
        type = "wireguard";
        upstream = {
          provider = "flpk";
+          noNat = {
+            subnets4 = [ "45.158.40.160/27" ];
+            subnets6 = [ "2a0f:5382:acab:1400::1/56" ];
+          };
        };
      };
    };
--- a/nix/lib/config/options.nix
+++ b/nix/lib/config/options.nix
@ -209,6 +209,11 @@ let
      type = with types; nullOr int;
      default = null;
    };
+    noNat.subnets4 = mkOption {
+      type = with types; listOf str;
+      default = [];
+      description = "Do not NAT traffic from these public static subnets";
+    };
    noNat.subnets6 = mkOption {
      type = with types; listOf str;
      default = [];
--- a/nix/nixos-module/container/upstream.nix
+++ b/nix/nixos-module/container/upstream.nix
@ -86,6 +86,13 @@ in
        '') config.networking.nat.forwardPorts}
      ''}

+      # Do not NAT our public IPv4 addresses
+      ${lib.concatMapStringsSep "\n" (subnet: ''
+        ip6tables -t nat -I nixos-nat-post \
+          -s ${subnet} \
+          -j RETURN
+      '') upstreamInterfaces.${net}.upstream.noNat.subnets4}
+
      # Provide IPv6 upstream for everyone, using NAT66 when not from
      # our static prefixes
      ${lib.concatMapStringsSep "\n" (net: ''