From 2765dd05e2128d54975398e64f55be3d3a09e423 Mon Sep 17 00:00:00 2001
From: Astro <astro@spaceboyz.net>
Date: Sun, 18 Sep 2022 22:48:07 +0200
Subject: [PATCH] nixos-module/container/upstream: try making
 upstream.noNat.subnets6 actually work

---
 nix/nixos-module/container/upstream.nix | 22 ++++++++--------------
 1 file changed, 8 insertions(+), 14 deletions(-)

diff --git a/nix/nixos-module/container/upstream.nix b/nix/nixos-module/container/upstream.nix
index b0141dc..270c49a 100644
--- a/nix/nixos-module/container/upstream.nix
+++ b/nix/nixos-module/container/upstream.nix
@@ -102,20 +102,14 @@ in
 
       # Provide IPv6 upstream for everyone, using NAT66 when not from
       # our static prefixes
-      ${lib.concatMapStringsSep "\n" (net: ''
-        ip6tables -t nat -N ${net}_nat || \
-          ip6tables -t nat -F ${net}_nat
-        ${lib.concatMapStringsSep "\n" (subnet: ''
-          ip6tables -t nat -A ${net}_nat \
-            -s ${subnet} \
-            -j RETURN
-        '') upstreamInterfaces.${net}.upstream.noNat.subnets6}
-        ip6tables -t nat -A ${net}_nat -j MASQUERADE
-
-        ip6tables -t nat -A POSTROUTING \
-          -o ${net} \
-          -j ${net}_nat
-      '') (builtins.attrNames upstreamInterfaces)}
+      ${lib.concatMapStringsSep "\n" (net:
+          lib.concatMapStrings (subnet: ''
+            ip6tables -t nat -I nixos-nat-post \
+              -o ${net} \
+              -s ${subnet} \
+              -j RETURN
+          '') upstreamInterfaces.${net}.upstream.noNat.subnets6
+       ) (builtins.attrNames upstreamInterfaces)}
     '';
     extraStopCommands = ''
       iptables -F FORWARD 2>/dev/null || true