nixos-module/container/upstream: try making upstream.noNat.subnets6 actually work

2022-09-18 22:48:07 +02:00 · 2022-09-18 22:48:07 +02:00 · 2765dd05e2
parent a113f2d4fa
commit 2765dd05e2
1 changed files with 8 additions and 14 deletions
--- a/nix/nixos-module/container/upstream.nix
+++ b/nix/nixos-module/container/upstream.nix
@ -102,20 +102,14 @@ in

      # Provide IPv6 upstream for everyone, using NAT66 when not from
      # our static prefixes
-      ${lib.concatMapStringsSep "\n" (net: ''
-        ip6tables -t nat -N ${net}_nat || \
-          ip6tables -t nat -F ${net}_nat
-        ${lib.concatMapStringsSep "\n" (subnet: ''
-          ip6tables -t nat -A ${net}_nat \
-            -s ${subnet} \
-            -j RETURN
-        '') upstreamInterfaces.${net}.upstream.noNat.subnets6}
-        ip6tables -t nat -A ${net}_nat -j MASQUERADE
-
-        ip6tables -t nat -A POSTROUTING \
-          -o ${net} \
-          -j ${net}_nat
-      '') (builtins.attrNames upstreamInterfaces)}
+      ${lib.concatMapStringsSep "\n" (net:
+          lib.concatMapStrings (subnet: ''
+            ip6tables -t nat -I nixos-nat-post \
+              -o ${net} \
+              -s ${subnet} \
+              -j RETURN
+          '') upstreamInterfaces.${net}.upstream.noNat.subnets6
+       ) (builtins.attrNames upstreamInterfaces)}
    '';
    extraStopCommands = ''
      iptables -F FORWARD 2>/dev/null || true