zentralwerk/network
zentralwerk
/
network
12
4
Fork 2
Code Issues 4 Pull Requests 1 Releases Wiki Activity

upstream: disable NAT reflection for DNS port forwards

This commit is contained in:
Astro 2021-10-16 23:56:32 +02:00
parent 739d6fefaa
commit 2c3c0fa13c
3 changed files with 25 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
nix/lib/config/legacy.nix
View File

@ -209,11 +209,13 @@ in
destination = config.site.net.serv.hosts4.bind;
proto = "tcp";
sourcePort = 53;
reflect = false;
}
{
destination = config.site.net.serv.hosts4.bind;
proto = "udp";
sourcePort = 53;
reflect = false;
}
{
destination = config.site.net.c3d2.hosts4.dn42;

14
nix/lib/config/options.nix
View File

@ -230,6 +230,20 @@ let
destination = mkOption {
type = types.str;
};
reflect = mkOption {
type = types.bool;
default = true;
description = ''
Enable NAT reflection
Any forwarded connection will have our static IPv4
address as source so that forwarded services become
available internally.
Unfortunately, this breaks identification by IPv4
adress.
'';
};
}; });
default = [];
};

15
nix/nixos-module/container/upstream.nix
View File

@ -81,17 +81,20 @@ in
ip6tables -t nat -X ${net}_nat 2>/dev/null || true
'') (builtins.attrNames upstreamInterfaces);
forwardPorts = map ({ destination, sourcePort, ... }@forwardedPort:
forwardPorts = map ({ destination, sourcePort, reflect, ... }@forwardedPort:
forwardedPort // {
destination =
if builtins.match ".*:.*" destination != null
then destination
else "${destination}:${toString sourcePort}";
loopbackIPs = builtins.filter (ip: ip != null) (
map (net:
upstreamInterfaces.${net}.upstream.staticIpv4Address
) (builtins.attrNames upstreamInterfaces)
);
loopbackIPs =
if reflect
then builtins.filter (ip: ip != null) (
map (net:
upstreamInterfaces.${net}.upstream.staticIpv4Address
) (builtins.attrNames upstreamInterfaces)
)
else [];
}
) hostConf.forwardPorts;
};