From 8c844dedd24bc2899203f1db2dc92a217b726d21 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= Date: Fri, 12 Apr 2024 00:18:15 +0200 Subject: [PATCH] Just copy more upstream code to not do stupid mistakes --- nix/nixos-module/container/upstream.nix | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/nix/nixos-module/container/upstream.nix b/nix/nixos-module/container/upstream.nix index bbe7e2f..df4215a 100644 --- a/nix/nixos-module/container/upstream.nix +++ b/nix/nixos-module/container/upstream.nix @@ -98,20 +98,23 @@ in ${lib.optionalString (staticIpv4Address != null) '' # Allow connections to ${staticIpv4Address} from other hosts behind NAT - ${lib.concatMapStrings (fwd: '' + ${lib.concatMapStrings (fwd: let + m = builtins.match "([0-9.]+):([0-9-]+)" fwd.destination; + destinationIP = if m == null then throw "bad ip:ports `${fwd.destination}'" else lib.elemAt m 0; + destinationPorts = if m == null then throw "bad ip:ports `${fwd.destination}'" else builtins.replaceStrings ["-"] [":"] (lib.elemAt m 1); + in '' iptables -t nat -A nixos-nat-pre \ -d ${staticIpv4Address} -p ${fwd.proto} \ --dport ${builtins.toString fwd.sourcePort} \ -j DNAT --to-destination ${fwd.destination} iptables -t nat -A nixos-nat-post \ - -d ${lib.elemAt (builtins.match "([0-9.]+):([0-9-]+)" fwd.destination) 0} -p ${fwd.proto} \ - --dport ${builtins.toString fwd.destination} \ + -d ${destinationIP} -p ${fwd.proto} \ + --dport ${destinationPorts} \ -s ${config.site.net.core.subnet4} -j MASQUERADE - iptables -t nat -A nixos-nat-post \ - -d ${lib.elemAt (builtins.match "([0-9.]+):([0-9-]+)" fwd.destination) 0} -p ${fwd.proto} \ - --dport ${builtins.toString fwd.destination} \ + -d ${destinationIP} -p ${fwd.proto} \ + --dport ${destinationPorts} \ -s ${config.site.net.c3d2.subnet4} -j MASQUERADE '') config.networking.nat.forwardPorts} ''}