From 05641a7f74021ea9f18cf1f8e53a2001f5172f81 Mon Sep 17 00:00:00 2001 From: Astro Date: Sun, 18 Sep 2022 01:42:34 +0200 Subject: [PATCH] flpk-gw: implement upstream.noNat.subnets4 --- config/net/flpk.nix | 5 ++++- nix/lib/config/options.nix | 5 +++++ nix/nixos-module/container/upstream.nix | 7 +++++++ 3 files changed, 16 insertions(+), 1 deletion(-) diff --git a/config/net/flpk.nix b/config/net/flpk.nix index 991ecb8..bb3d14d 100644 --- a/config/net/flpk.nix +++ b/config/net/flpk.nix @@ -22,11 +22,14 @@ hwaddr = "0A:14:48:01:16:01"; type = "veth"; }; - # "45.158.40.160/27" "2a0f:5382:acab:1400::1/56" up-flpk = { type = "wireguard"; upstream = { provider = "flpk"; + noNat = { + subnets4 = [ "45.158.40.160/27" ]; + subnets6 = [ "2a0f:5382:acab:1400::1/56" ]; + }; }; }; }; diff --git a/nix/lib/config/options.nix b/nix/lib/config/options.nix index a8e47f0..1d19c23 100644 --- a/nix/lib/config/options.nix +++ b/nix/lib/config/options.nix @@ -209,6 +209,11 @@ let type = with types; nullOr int; default = null; }; + noNat.subnets4 = mkOption { + type = with types; listOf str; + default = []; + description = "Do not NAT traffic from these public static subnets"; + }; noNat.subnets6 = mkOption { type = with types; listOf str; default = []; diff --git a/nix/nixos-module/container/upstream.nix b/nix/nixos-module/container/upstream.nix index 9e7e2a7..fa3607c 100644 --- a/nix/nixos-module/container/upstream.nix +++ b/nix/nixos-module/container/upstream.nix @@ -86,6 +86,13 @@ in '') config.networking.nat.forwardPorts} ''} + # Do not NAT our public IPv4 addresses + ${lib.concatMapStringsSep "\n" (subnet: '' + ip6tables -t nat -I nixos-nat-post \ + -s ${subnet} \ + -j RETURN + '') upstreamInterfaces.${net}.upstream.noNat.subnets4} + # Provide IPv6 upstream for everyone, using NAT66 when not from # our static prefixes ${lib.concatMapStringsSep "\n" (net: ''