Just copy more upstream code to not do stupid mistakes

2024-04-12 00:18:15 +02:00 · 2024-04-12 00:18:15 +02:00 · 8c844dedd2
parent 6a29757919
commit 8c844dedd2
1 changed files with 9 additions and 6 deletions
--- a/nix/nixos-module/container/upstream.nix
+++ b/nix/nixos-module/container/upstream.nix
@ -98,20 +98,23 @@ in

      ${lib.optionalString (staticIpv4Address != null) ''
        # Allow connections to ${staticIpv4Address} from other hosts behind NAT
-        ${lib.concatMapStrings (fwd: ''
+        ${lib.concatMapStrings (fwd: let
+            m                = builtins.match "([0-9.]+):([0-9-]+)" fwd.destination;
+            destinationIP    = if m == null then throw "bad ip:ports `${fwd.destination}'" else lib.elemAt m 0;
+            destinationPorts = if m == null then throw "bad ip:ports `${fwd.destination}'" else builtins.replaceStrings ["-"] [":"] (lib.elemAt m 1);
+        in ''
          iptables -t nat -A nixos-nat-pre \
            -d ${staticIpv4Address} -p ${fwd.proto} \
            --dport ${builtins.toString fwd.sourcePort} \
            -j DNAT --to-destination ${fwd.destination}

          iptables -t nat -A nixos-nat-post \
-            -d ${lib.elemAt (builtins.match "([0-9.]+):([0-9-]+)" fwd.destination) 0} -p ${fwd.proto} \
-            --dport ${builtins.toString fwd.destination} \
+            -d ${destinationIP} -p ${fwd.proto} \
+            --dport ${destinationPorts} \
            -s ${config.site.net.core.subnet4} -j MASQUERADE
-
          iptables -t nat -A nixos-nat-post \
-            -d ${lib.elemAt (builtins.match "([0-9.]+):([0-9-]+)" fwd.destination) 0} -p ${fwd.proto} \
-            --dport ${builtins.toString fwd.destination} \
+            -d ${destinationIP} -p ${fwd.proto} \
+            --dport ${destinationPorts} \
            -s ${config.site.net.c3d2.subnet4} -j MASQUERADE
        '')  config.networking.nat.forwardPorts}
      ''}