From 8d9f4e247d52c9062d40724e90dd4ab61cf5b98a Mon Sep 17 00:00:00 2001 From: Niten Date: Wed, 17 Mar 2021 22:29:34 +0000 Subject: [PATCH] Try using builtin forwardPorts --- lib/fudo/system.nix | 92 ++++++++++++++++++--------------------------- 1 file changed, 37 insertions(+), 55 deletions(-) diff --git a/lib/fudo/system.nix b/lib/fudo/system.nix index f9cb7bb..ee85fed 100644 --- a/lib/fudo/system.nix +++ b/lib/fudo/system.nix @@ -439,65 +439,47 @@ in { "net.ipv4.conf.all.route_localnet" = "1"; }; - networking.firewall = let - iptables = "ip46tables"; - ip-forward-line = protocols: internal: external: - concatStringsSep "\n" (map (protocol: '' - # ${iptables} -I PREROUTING -p ${protocol} --dport ${ - toString external - } -j REDIRECT --to-ports ${toString internal} - # ${iptables} -I OUTPUT -p ${protocol} -i lo --dport ${ - toString external - } -j REDIRECT --to-ports ${toString internal} - # ${iptables} -I OUTPUT -p ${protocol} -o lo --dport ${ - toString external - } -j REDIRECT --to-ports ${toString internal} + # networking.firewall = let + # iptables = "ip46tables"; + # ip-forward-line = protocols: internal: external: + # concatStringsSep "\n" (map (protocol: '' + # ${iptables} -t nat -I PREROUTING -p ${protocol} --dport ${ + # toString external + # } -j REDIRECT --to-ports ${toString internal} + # ${iptables} -t nat -I OUTPUT -s lo -p ${protocol} --dport ${ + # toString external + # } -j REDIRECT --to-ports ${toString internal} + # '') protocols); - # ${iptables} -t nat -I PREROUTING -p ${protocol} --dport ${ - toString external - } -j REDIRECT --to-ports ${toString internal} - # ${iptables} -t nat -I OUTPUT -p ${protocol} -i lo --dport ${ - toString external - } -j REDIRECT --to-ports 127.0.0.1:${toString internal} - # ${iptables} -t nat -I OUTPUT -p ${protocol} -o lo --dport ${ - toString external - } -j REDIRECT --to-ports ${toString internal} - '') protocols); + # ip-unforward-line = protocols: internal: external: + # concatStringsSep "\n" (map (protocol: '' + # ${iptables} -t nat -D PREROUTING -p ${protocol} --dport ${ + # toString external + # } -j REDIRECT --to-ports ${toString internal} + # ${iptables} -t nat -D OUTPUT -s lo -p ${protocol} --dport ${ + # toString external + # } -j REDIRECT --to-ports ${toString internal} + # '') protocols); + # in { + # enable = true; - ip-unforward-line = protocols: internal: external: - concatStringsSep "\n" (map (protocol: '' - # ${iptables} -D PREROUTING -p ${protocol} --dport ${ - toString external - } -j REDIRECT --to-ports ${toString internal} - # ${iptables} -D OUTPUT -p ${protocol} -i lo --dport ${ - toString external - } -j REDIRECT --to-ports ${toString internal} - # ${iptables} -D OUTPUT -p ${protocol} -o lo --dport ${ - toString external - } -j REDIRECT --to-ports ${toString internal} + # extraCommands = concatStringsSep "\n" (mapAttrsToList (name: opts: + # ip-forward-line opts.protocols opts.internal-port opts.external-port) + # cfg.internal-port-map); + # extraStopCommands = concatStringsSep "\n" (mapAttrsToList (name: opts: + # ip-unforward-line opts.protocols opts.internal-port opts.external-port) + # cfg.internal-port-map); + # }; - # ${iptables} -t nat -D PREROUTING -p ${protocol} --dport ${ - toString external - } -j REDIRECT --to-ports ${toString internal} - # ${iptables} -t nat -D OUTPUT -p ${protocol} -i lo --dport ${ - toString external - } -j REDIRECT --to-ports 127.0.0.1:${toString internal} - # ${iptables} -t nat -D OUTPUT -p ${protocol} -o lo --dport ${ - toString external - } -j REDIRECT --to-ports ${toString internal} - '') protocols); - in { - enable = true; - - extraCommands = concatStringsSep "\n" (mapAttrsToList (name: opts: - ip-forward-line opts.protocols opts.internal-port opts.external-port) - cfg.internal-port-map); - - extraStopCommands = concatStringsSep "\n" (mapAttrsToList (name: opts: - ip-unforward-line opts.protocols opts.internal-port opts.external-port) - cfg.internal-port-map); - }; + networking.nat.forwardPorts = + let portmaps = (attrValues opts.external-port); + in concatMap (opts: + map (protocol: { + destination = "127.0.0.1:${toString opts.internal-port}"; + sourcePort = opts.external-port; + proto = protocol; + }) opts.protocols) (attrValues cfg.internal-port-map); # Services.xinetd = mkIf ((length (attrNames cfg.internal-port-map)) > 0) { # enable = true;