nixos-module/container/upstream: fix SNAT for forwarded ports
This commit is contained in:
parent
501f96a225
commit
48cbaf5f08
|
@ -88,25 +88,16 @@ in
|
||||||
let
|
let
|
||||||
inherit (upstreamInterfaces.${net}.upstream) staticIpv4Address;
|
inherit (upstreamInterfaces.${net}.upstream) staticIpv4Address;
|
||||||
in lib.optionalString (staticIpv4Address != null) ''
|
in lib.optionalString (staticIpv4Address != null) ''
|
||||||
iptables -w -t nat -A nixos-nat-post \
|
iptables -w -t nat -I nixos-nat-post \
|
||||||
--source 172.20.0.0/14 \
|
-i core \
|
||||||
--dest ${staticIpv4Address}/32 \
|
--dest ${staticIpv4Address}/32 \
|
||||||
-j nixos-nat-post-forward
|
-j nixos-nat-post-forward
|
||||||
'') (builtins.attrNames upstreamInterfaces)}
|
'') (builtins.attrNames upstreamInterfaces)}
|
||||||
|
|
||||||
${lib.concatMapStringsSep "\n" ({ proto, destination, sourcePort, ... }:
|
${lib.concatMapStringsSep "\n" ({ proto, sourcePort, ... }: ''
|
||||||
let
|
iptables -t nat -A nixos-nat-post-forward \
|
||||||
ds = builtins.split ":" destination;
|
-p ${proto} --dport ${toString sourcePort} \
|
||||||
port =
|
-j SNAT --to-source ${config.site.net.core.hosts4.${hostName}}
|
||||||
if builtins.length ds == 3
|
|
||||||
then lib.elemAt ds 2
|
|
||||||
else if builtins.length ds == 1
|
|
||||||
then toString sourcePort
|
|
||||||
else throw "Too many colons in a forwardPorts destination";
|
|
||||||
in ''
|
|
||||||
iptables -t nat -A nixos-nat-post-forward \
|
|
||||||
-p ${proto} --dport ${port} \
|
|
||||||
-j SNAT --to-source ${config.site.net.core.hosts4.${hostName}}
|
|
||||||
'') hostConf.forwardPorts}
|
'') hostConf.forwardPorts}
|
||||||
'';
|
'';
|
||||||
extraStopCommands =
|
extraStopCommands =
|
||||||
|
|
Loading…
Reference in New Issue