From a24e4b4af20a0b95c13edfbf4b5705a27ff8f045 Mon Sep 17 00:00:00 2001
From: Jack Cummings <jack@mudshark.org>
Date: Fri, 5 Oct 2012 22:10:38 -0700
Subject: [PATCH 1/3]  nat: enable NAT for multiple networks

---
 modules/services/networking/nat.nix | 20 ++++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)

diff --git a/modules/services/networking/nat.nix b/modules/services/networking/nat.nix
index c51eeb54be7..ff6ff02f7e9 100644
--- a/modules/services/networking/nat.nix
+++ b/modules/services/networking/nat.nix
@@ -1,4 +1,6 @@
 # This module enables Network Address Translation (NAT).
+# XXX: todo: support multiple upstream links
+# see http://yesican.chsoft.biz/lartc/MultihomedLinuxNetworking.html
 
 { config, pkgs, ... }:
 
@@ -25,11 +27,11 @@ in
     };
 
     networking.nat.internalIPs = mkOption {
-      example = "192.168.1.0/24";
+      example = [ "192.168.1.0/24" ] ;
       description =
         ''
-          The IP address range for which to perform NAT.  Packets
-          coming from these addresses and destined for the external
+          The IP address ranges for which to perform NAT.  Packets
+          coming from these networks and destined for the external
           interface will be rewritten.
         '';
     };
@@ -76,13 +78,17 @@ in
           ''
             iptables -t nat -F POSTROUTING
             iptables -t nat -X
-
+          '' 
+          + (concatMapStrings (network: 
+            ''
             iptables -t nat -A POSTROUTING \
-              -s ${cfg.internalIPs} -o ${cfg.externalInterface} \
+              -s ${network} -o ${cfg.externalInterface} \
               ${if cfg.externalIP == ""
                 then "-j MASQUERADE"
                 else "-j SNAT --to-source ${cfg.externalIP}"}
-
+            ''
+          ) cfg.internalIPs) +
+          ''
             echo 1 > /proc/sys/net/ipv4/ip_forward
           '';
 
@@ -91,7 +97,5 @@ in
             iptables -t nat -F POSTROUTING
           '';
       };
-
   };
-
 }

From be3e8124394e3c2a452e168fc3cb18411eb56ecd Mon Sep 17 00:00:00 2001
From: Jack Cummings <jack@mudshark.org>
Date: Fri, 5 Oct 2012 22:11:16 -0700
Subject: [PATCH 2/3] Wrong branch.

Revert " nat: enable NAT for multiple networks"

This reverts commit a24e4b4af20a0b95c13edfbf4b5705a27ff8f045.
---
 modules/services/networking/nat.nix | 20 ++++++++------------
 1 file changed, 8 insertions(+), 12 deletions(-)

diff --git a/modules/services/networking/nat.nix b/modules/services/networking/nat.nix
index ff6ff02f7e9..c51eeb54be7 100644
--- a/modules/services/networking/nat.nix
+++ b/modules/services/networking/nat.nix
@@ -1,6 +1,4 @@
 # This module enables Network Address Translation (NAT).
-# XXX: todo: support multiple upstream links
-# see http://yesican.chsoft.biz/lartc/MultihomedLinuxNetworking.html
 
 { config, pkgs, ... }:
 
@@ -27,11 +25,11 @@ in
     };
 
     networking.nat.internalIPs = mkOption {
-      example = [ "192.168.1.0/24" ] ;
+      example = "192.168.1.0/24";
       description =
         ''
-          The IP address ranges for which to perform NAT.  Packets
-          coming from these networks and destined for the external
+          The IP address range for which to perform NAT.  Packets
+          coming from these addresses and destined for the external
           interface will be rewritten.
         '';
     };
@@ -78,17 +76,13 @@ in
           ''
             iptables -t nat -F POSTROUTING
             iptables -t nat -X
-          '' 
-          + (concatMapStrings (network: 
-            ''
+
             iptables -t nat -A POSTROUTING \
-              -s ${network} -o ${cfg.externalInterface} \
+              -s ${cfg.internalIPs} -o ${cfg.externalInterface} \
               ${if cfg.externalIP == ""
                 then "-j MASQUERADE"
                 else "-j SNAT --to-source ${cfg.externalIP}"}
-            ''
-          ) cfg.internalIPs) +
-          ''
+
             echo 1 > /proc/sys/net/ipv4/ip_forward
           '';
 
@@ -97,5 +91,7 @@ in
             iptables -t nat -F POSTROUTING
           '';
       };
+
   };
+
 }

From 1cbad692c3156163b01268270a4efa261e479206 Mon Sep 17 00:00:00 2001
From: Jack Cummings <jack@mudshark.org>
Date: Sun, 21 Oct 2012 21:46:05 -0700
Subject: [PATCH 3/3] Add an option to add 'option=single-request' to
 /etc/resolv.conf.

---
 modules/config/networking.nix | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/modules/config/networking.nix b/modules/config/networking.nix
index c6ea171bf3d..3905f28b610 100644
--- a/modules/config/networking.nix
+++ b/modules/config/networking.nix
@@ -16,6 +16,18 @@ let
       '';
     };
 
+    networking.dnsSingleRequest = pkgs.lib.mkOption {
+      default = false;
+      description = ''
+        Recent versions of glibc will issue both ipv4 (A) and ipv6 (AAAA)
+        address queries at the same time, from the same port. Sometimes upstream
+        routers will systemically drop the ipv4 queries. The symptom of this problem is
+        that 'getent hosts example.com' only returns ipv6 (or perhaps only ipv4) addresses. The
+        workaround for this is to specify the option 'single-request' in
+        /etc/resolve.conf. This option enables that. 
+      '';
+    };
+
   };
 
 in
@@ -60,6 +72,9 @@ in
             # Invalidate the nscd cache whenever resolv.conf is
             # regenerated.
             libc_restart='${pkgs.upstart}/sbin/start invalidate-nscd'
+          '' + optionalString cfg.dnsSingleRequest ''
+            # only send one DNS request at a time
+            resolv_conf_options='single-request'
           '' + optionalString config.services.bind.enable ''
             # This hosts runs a full-blown DNS resolver.
             name_servers='127.0.0.1'