nixos: fix ip46tables invocation in nat

2019-12-14 20:10:17 -08:00 · 2019-12-14 20:10:17 -08:00 · 5ee439eb08
commit 5ee439eb08
parent 367676ce82
3 changed files with 18 additions and 13 deletions
--- a/nixos/modules/services/networking/firewall.nix
+++ b/nixos/modules/services/networking/firewall.nix
@ -42,16 +42,7 @@ let

  kernelHasRPFilter = ((kernel.config.isEnabled or (x: false)) "IP_NF_MATCH_RPFILTER") || (kernel.features.netfilterRPFilter or false);

-  helpers =
-    ''
-      # Helper command to manipulate both the IPv4 and IPv6 tables.
-      ip46tables() {
-        iptables -w "$@"
-        ${optionalString config.networking.enableIPv6 ''
-          ip6tables -w "$@"
-        ''}
-      }
-    '';
+  helpers = import ./helpers.nix { inherit config lib; };

  writeShScript = name: text: let dir = pkgs.writeScriptBin name ''
    #! ${pkgs.runtimeShell} -e
@ -271,7 +262,7 @@ let
      apply = canonicalizePortList;
      example = [ 22 80 ];
      description =
-        '' 
+        ''
          List of TCP ports on which incoming connections are
          accepted.
        '';
@ -282,7 +273,7 @@ let
      default = [ ];
      example = [ { from = 8999; to = 9003; } ];
      description =
-        '' 
+        ''
          A range of TCP ports on which incoming connections are
          accepted.
        '';
--- a/nixos/modules/services/networking/helpers.nix
+++ b/nixos/modules/services/networking/helpers.nix
@ -0,0 +1,11 @@
+{ config, lib, ... }: ''
+  # Helper command to manipulate both the IPv4 and IPv6 tables.
+  ip46tables() {
+    iptables -w "$@"
+    ${
+      lib.optionalString config.networking.enableIPv6 ''
+        ip6tables -w "$@"
+      ''
+    }
+  }
+''
--- a/nixos/modules/services/networking/nat.nix
+++ b/nixos/modules/services/networking/nat.nix
@ -7,12 +7,14 @@
 with lib;

 let
-
  cfg = config.networking.nat;

  dest = if cfg.externalIP == null then "-j MASQUERADE" else "-j SNAT --to-source ${cfg.externalIP}";

+  helpers = import ./helpers.nix { inherit config lib; };
+
  flushNat = ''
+    ${helpers}
    ip46tables -w -t nat -D PREROUTING -j nixos-nat-pre 2>/dev/null|| true
    ip46tables -w -t nat -F nixos-nat-pre 2>/dev/null || true
    ip46tables -w -t nat -X nixos-nat-pre 2>/dev/null || true
@ -27,6 +29,7 @@ let
  '';

  setupNat = ''
+    ${helpers}
    # Create subchain where we store rules
    ip46tables -w -t nat -N nixos-nat-pre
    ip46tables -w -t nat -N nixos-nat-post