public
/
nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nixos/nat: create nixos-nat-{pre,post,out} in ip6tables too

This commit is contained in:
volth 2019-09-10 21:58:19 +00:00 committed by GitHub
parent 70a0add412
commit 3e792fb6df
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 15 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
nixos/modules/services/networking/nat.nix
View File

@ -13,20 +13,24 @@ let
dest = if cfg.externalIP == null then "-j MASQUERADE" else "-j SNAT --to-source ${cfg.externalIP}"; dest = if cfg.externalIP == null then "-j MASQUERADE" else "-j SNAT --to-source ${cfg.externalIP}";
flushNat = '' flushNat = ''
iptables -w -t nat -D PREROUTING -j nixos-nat-pre 2>/dev/null|| true ip46tables -w -t nat -D PREROUTING -j nixos-nat-pre 2>/dev/null|| true
iptables -w -t nat -F nixos-nat-pre 2>/dev/null || true ip46tables -w -t nat -F nixos-nat-pre 2>/dev/null || true
iptables -w -t nat -X nixos-nat-pre 2>/dev/null || true ip46tables -w -t nat -X nixos-nat-pre 2>/dev/null || true
iptables -w -t nat -D POSTROUTING -j nixos-nat-post 2>/dev/null || true ip46tables -w -t nat -D POSTROUTING -j nixos-nat-post 2>/dev/null || true
iptables -w -t nat -F nixos-nat-post 2>/dev/null || true ip46tables -w -t nat -F nixos-nat-post 2>/dev/null || true
iptables -w -t nat -X nixos-nat-post 2>/dev/null || true ip46tables -w -t nat -X nixos-nat-post 2>/dev/null || true
ip46tables -w -t nat -D OUTPUT -j nixos-nat-out 2>/dev/null || true
ip46tables -w -t nat -F nixos-nat-out 2>/dev/null || true
ip46tables -w -t nat -X nixos-nat-out 2>/dev/null || true
${cfg.extraStopCommands} ${cfg.extraStopCommands}
''; '';
setupNat = '' setupNat = ''
# Create subchain where we store rules # Create subchain where we store rules
iptables -w -t nat -N nixos-nat-pre ip46tables -w -t nat -N nixos-nat-pre
iptables -w -t nat -N nixos-nat-post ip46tables -w -t nat -N nixos-nat-post
ip46tables -w -t nat -N nixos-nat-out
# We can't match on incoming interface in POSTROUTING, so # We can't match on incoming interface in POSTROUTING, so
# mark packets coming from the external interfaces. # mark packets coming from the external interfaces.
@ -88,8 +92,9 @@ let
${cfg.extraCommands} ${cfg.extraCommands}
# Append our chains to the nat tables # Append our chains to the nat tables
iptables -w -t nat -A PREROUTING -j nixos-nat-pre ip46tables -w -t nat -A PREROUTING -j nixos-nat-pre
iptables -w -t nat -A POSTROUTING -j nixos-nat-post ip46tables -w -t nat -A POSTROUTING -j nixos-nat-post
ip46tables -w -t nat -A OUTPUT -j nixos-nat-out
''; '';
in in