upstream: disable NAT reflection for DNS port forwards
This commit is contained in:
parent
739d6fefaa
commit
2c3c0fa13c
|
@ -209,11 +209,13 @@ in
|
||||||
destination = config.site.net.serv.hosts4.bind;
|
destination = config.site.net.serv.hosts4.bind;
|
||||||
proto = "tcp";
|
proto = "tcp";
|
||||||
sourcePort = 53;
|
sourcePort = 53;
|
||||||
|
reflect = false;
|
||||||
}
|
}
|
||||||
{
|
{
|
||||||
destination = config.site.net.serv.hosts4.bind;
|
destination = config.site.net.serv.hosts4.bind;
|
||||||
proto = "udp";
|
proto = "udp";
|
||||||
sourcePort = 53;
|
sourcePort = 53;
|
||||||
|
reflect = false;
|
||||||
}
|
}
|
||||||
{
|
{
|
||||||
destination = config.site.net.c3d2.hosts4.dn42;
|
destination = config.site.net.c3d2.hosts4.dn42;
|
||||||
|
|
|
@ -230,6 +230,20 @@ let
|
||||||
destination = mkOption {
|
destination = mkOption {
|
||||||
type = types.str;
|
type = types.str;
|
||||||
};
|
};
|
||||||
|
reflect = mkOption {
|
||||||
|
type = types.bool;
|
||||||
|
default = true;
|
||||||
|
description = ''
|
||||||
|
Enable NAT reflection
|
||||||
|
|
||||||
|
Any forwarded connection will have our static IPv4
|
||||||
|
address as source so that forwarded services become
|
||||||
|
available internally.
|
||||||
|
|
||||||
|
Unfortunately, this breaks identification by IPv4
|
||||||
|
adress.
|
||||||
|
'';
|
||||||
|
};
|
||||||
}; });
|
}; });
|
||||||
default = [];
|
default = [];
|
||||||
};
|
};
|
||||||
|
|
|
@ -81,17 +81,20 @@ in
|
||||||
ip6tables -t nat -X ${net}_nat 2>/dev/null || true
|
ip6tables -t nat -X ${net}_nat 2>/dev/null || true
|
||||||
'') (builtins.attrNames upstreamInterfaces);
|
'') (builtins.attrNames upstreamInterfaces);
|
||||||
|
|
||||||
forwardPorts = map ({ destination, sourcePort, ... }@forwardedPort:
|
forwardPorts = map ({ destination, sourcePort, reflect, ... }@forwardedPort:
|
||||||
forwardedPort // {
|
forwardedPort // {
|
||||||
destination =
|
destination =
|
||||||
if builtins.match ".*:.*" destination != null
|
if builtins.match ".*:.*" destination != null
|
||||||
then destination
|
then destination
|
||||||
else "${destination}:${toString sourcePort}";
|
else "${destination}:${toString sourcePort}";
|
||||||
loopbackIPs = builtins.filter (ip: ip != null) (
|
loopbackIPs =
|
||||||
map (net:
|
if reflect
|
||||||
upstreamInterfaces.${net}.upstream.staticIpv4Address
|
then builtins.filter (ip: ip != null) (
|
||||||
) (builtins.attrNames upstreamInterfaces)
|
map (net:
|
||||||
);
|
upstreamInterfaces.${net}.upstream.staticIpv4Address
|
||||||
|
) (builtins.attrNames upstreamInterfaces)
|
||||||
|
)
|
||||||
|
else [];
|
||||||
}
|
}
|
||||||
) hostConf.forwardPorts;
|
) hostConf.forwardPorts;
|
||||||
};
|
};
|
||||||
|
|
Loading…
Reference in New Issue