nixos-module/container/upstream: try making upstream.noNat.subnets6 actually work
This commit is contained in:
parent
a113f2d4fa
commit
2765dd05e2
|
@ -102,20 +102,14 @@ in
|
|||
|
||||
# Provide IPv6 upstream for everyone, using NAT66 when not from
|
||||
# our static prefixes
|
||||
${lib.concatMapStringsSep "\n" (net: ''
|
||||
ip6tables -t nat -N ${net}_nat || \
|
||||
ip6tables -t nat -F ${net}_nat
|
||||
${lib.concatMapStringsSep "\n" (subnet: ''
|
||||
ip6tables -t nat -A ${net}_nat \
|
||||
${lib.concatMapStringsSep "\n" (net:
|
||||
lib.concatMapStrings (subnet: ''
|
||||
ip6tables -t nat -I nixos-nat-post \
|
||||
-o ${net} \
|
||||
-s ${subnet} \
|
||||
-j RETURN
|
||||
'') upstreamInterfaces.${net}.upstream.noNat.subnets6}
|
||||
ip6tables -t nat -A ${net}_nat -j MASQUERADE
|
||||
|
||||
ip6tables -t nat -A POSTROUTING \
|
||||
-o ${net} \
|
||||
-j ${net}_nat
|
||||
'') (builtins.attrNames upstreamInterfaces)}
|
||||
'') upstreamInterfaces.${net}.upstream.noNat.subnets6
|
||||
) (builtins.attrNames upstreamInterfaces)}
|
||||
'';
|
||||
extraStopCommands = ''
|
||||
iptables -F FORWARD 2>/dev/null || true
|
||||
|
|
Loading…
Reference in New Issue