nixos-module/container/upstream: remove a lot of stuff by using loopbackIPs for forwarded ports
This commit is contained in:
parent
48cbaf5f08
commit
8b6c7578e8
|
@ -60,54 +60,39 @@ in
|
||||||
extraCommands =
|
extraCommands =
|
||||||
# Provide IPv6 upstream for everyone, using NAT66 when not from
|
# Provide IPv6 upstream for everyone, using NAT66 when not from
|
||||||
# our static prefixes
|
# our static prefixes
|
||||||
builtins.concatStringsSep "\n" (
|
lib.concatMapStringsSep "\n" (net: ''
|
||||||
map (net: ''
|
ip6tables -t nat -N ${net}_nat || \
|
||||||
ip6tables -t nat -N ${net}_nat || \
|
ip6tables -t nat -F ${net}_nat
|
||||||
ip6tables -t nat -F ${net}_nat
|
${lib.concatMapStringsSep "\n" (subnet: ''
|
||||||
${builtins.concatStringsSep "\n" (
|
ip6tables -t nat -A ${net}_nat \
|
||||||
map (subnet: ''
|
-s ${subnet} \
|
||||||
ip6tables -t nat -A ${net}_nat \
|
-j RETURN
|
||||||
-s ${subnet} \
|
'') upstreamInterfaces.${net}.upstream.noNat.subnets6}
|
||||||
-j RETURN
|
ip6tables -t nat -A ${net}_nat -j MASQUERADE
|
||||||
'') upstreamInterfaces.${net}.upstream.noNat.subnets6
|
|
||||||
)}
|
|
||||||
ip6tables -t nat -A ${net}_nat -j MASQUERADE
|
|
||||||
|
|
||||||
ip6tables -t nat -A POSTROUTING \
|
ip6tables -t nat -A POSTROUTING \
|
||||||
-o ${net} \
|
-o ${net} \
|
||||||
-j ${net}_nat
|
-j ${net}_nat
|
||||||
'') (builtins.attrNames upstreamInterfaces)
|
'') (builtins.attrNames upstreamInterfaces);
|
||||||
) +
|
|
||||||
# Do SNAT on connection attempts so that forwarded ports will
|
|
||||||
# work from internal networks.
|
|
||||||
''
|
|
||||||
iptables -w -t nat -N nixos-nat-post-forward 2>/dev/null || \
|
|
||||||
iptables -w -t nat -F nixos-nat-post-forward
|
|
||||||
|
|
||||||
${lib.concatMapStringsSep "\n" (net:
|
|
||||||
let
|
|
||||||
inherit (upstreamInterfaces.${net}.upstream) staticIpv4Address;
|
|
||||||
in lib.optionalString (staticIpv4Address != null) ''
|
|
||||||
iptables -w -t nat -I nixos-nat-post \
|
|
||||||
-i core \
|
|
||||||
--dest ${staticIpv4Address}/32 \
|
|
||||||
-j nixos-nat-post-forward
|
|
||||||
'') (builtins.attrNames upstreamInterfaces)}
|
|
||||||
|
|
||||||
${lib.concatMapStringsSep "\n" ({ proto, sourcePort, ... }: ''
|
|
||||||
iptables -t nat -A nixos-nat-post-forward \
|
|
||||||
-p ${proto} --dport ${toString sourcePort} \
|
|
||||||
-j SNAT --to-source ${config.site.net.core.hosts4.${hostName}}
|
|
||||||
'') hostConf.forwardPorts}
|
|
||||||
'';
|
|
||||||
extraStopCommands =
|
extraStopCommands =
|
||||||
builtins.concatStringsSep "\n" (
|
lib.concatMapStringsSep "\n" (net: ''
|
||||||
map (net: ''
|
ip6tables -t nat -F POSTROUTING 2>/dev/null || true
|
||||||
ip6tables -t nat -F POSTROUTING 2>/dev/null || true
|
ip6tables -t nat -F ${net}_nat 2>/dev/null || true
|
||||||
ip6tables -t nat -F ${net}_nat 2>/dev/null || true
|
ip6tables -t nat -X ${net}_nat 2>/dev/null || true
|
||||||
ip6tables -t nat -X ${net}_nat 2>/dev/null || true
|
'') (builtins.attrNames upstreamInterfaces);
|
||||||
'') (builtins.attrNames upstreamInterfaces)
|
|
||||||
);
|
forwardPorts = map ({ destination, sourcePort, ... }@forwardedPort:
|
||||||
inherit (hostConf) forwardPorts;
|
forwardedPort // {
|
||||||
|
destination =
|
||||||
|
if builtins.match ".*:.*" destination != null
|
||||||
|
then destination
|
||||||
|
else "${destination}:${toString sourcePort}";
|
||||||
|
loopbackIPs = builtins.filter (ip: ip != null) (
|
||||||
|
map (net:
|
||||||
|
upstreamInterfaces.${net}.upstream.staticIpv4Address
|
||||||
|
) (builtins.attrNames upstreamInterfaces)
|
||||||
|
);
|
||||||
|
}
|
||||||
|
) hostConf.forwardPorts;
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue