flpk-gw: implement upstream.noNat.subnets4
This commit is contained in:
parent
f8c1c17a1d
commit
05641a7f74
|
@ -22,11 +22,14 @@
|
||||||
hwaddr = "0A:14:48:01:16:01";
|
hwaddr = "0A:14:48:01:16:01";
|
||||||
type = "veth";
|
type = "veth";
|
||||||
};
|
};
|
||||||
# "45.158.40.160/27" "2a0f:5382:acab:1400::1/56"
|
|
||||||
up-flpk = {
|
up-flpk = {
|
||||||
type = "wireguard";
|
type = "wireguard";
|
||||||
upstream = {
|
upstream = {
|
||||||
provider = "flpk";
|
provider = "flpk";
|
||||||
|
noNat = {
|
||||||
|
subnets4 = [ "45.158.40.160/27" ];
|
||||||
|
subnets6 = [ "2a0f:5382:acab:1400::1/56" ];
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
@ -209,6 +209,11 @@ let
|
||||||
type = with types; nullOr int;
|
type = with types; nullOr int;
|
||||||
default = null;
|
default = null;
|
||||||
};
|
};
|
||||||
|
noNat.subnets4 = mkOption {
|
||||||
|
type = with types; listOf str;
|
||||||
|
default = [];
|
||||||
|
description = "Do not NAT traffic from these public static subnets";
|
||||||
|
};
|
||||||
noNat.subnets6 = mkOption {
|
noNat.subnets6 = mkOption {
|
||||||
type = with types; listOf str;
|
type = with types; listOf str;
|
||||||
default = [];
|
default = [];
|
||||||
|
|
|
@ -86,6 +86,13 @@ in
|
||||||
'') config.networking.nat.forwardPorts}
|
'') config.networking.nat.forwardPorts}
|
||||||
''}
|
''}
|
||||||
|
|
||||||
|
# Do not NAT our public IPv4 addresses
|
||||||
|
${lib.concatMapStringsSep "\n" (subnet: ''
|
||||||
|
ip6tables -t nat -I nixos-nat-post \
|
||||||
|
-s ${subnet} \
|
||||||
|
-j RETURN
|
||||||
|
'') upstreamInterfaces.${net}.upstream.noNat.subnets4}
|
||||||
|
|
||||||
# Provide IPv6 upstream for everyone, using NAT66 when not from
|
# Provide IPv6 upstream for everyone, using NAT66 when not from
|
||||||
# our static prefixes
|
# our static prefixes
|
||||||
${lib.concatMapStringsSep "\n" (net: ''
|
${lib.concatMapStringsSep "\n" (net: ''
|
||||||
|
|
Loading…
Reference in New Issue