colin/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #266477 from duament/nixos-nat-nftables

Browse Source 
nixos/nat: fix nat-nftables
This commit is contained in:
Maciej Krüger 2023-11-25 12:58:48 +01:00 committed by GitHub
commit 7b1e146a49
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 6 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
nixos/modules/services/networking/nat-nftables.nix
View File

@ -1,4 +1,4 @@
{ config, lib, pkgs, ... }:
{ config, lib, ... }:
with lib;
@ -35,26 +35,18 @@ let
mkTable = { ipVer, dest, ipSet, forwardPorts, dmzHost }:
let
# nftables does not support both port and port range as values in a dnat map.
# e.g. "dnat th dport map { 80 : 10.0.0.1 . 80, 443 : 10.0.0.2 . 900-1000 }"
# So we split them.
fwdPorts = filter (x: length (splitString "-" x.destination) == 1) forwardPorts;
fwdPortsRange = filter (x: length (splitString "-" x.destination) > 1) forwardPorts;
# nftables maps for port forward
# l4proto . dport : addr . port
toFwdMap = forwardPorts: toNftSet (map
fwdMap = toNftSet (map
(fwd:
with (splitIPPorts fwd.destination);
"${fwd.proto} . ${toNftRange fwd.sourcePort} : ${IP} . ${ports}"
)
forwardPorts);
fwdMap = toFwdMap fwdPorts;
fwdRangeMap = toFwdMap fwdPortsRange;
# nftables maps for port forward loopback dnat
# daddr . l4proto . dport : addr . port
toFwdLoopDnatMap = forwardPorts: toNftSet (concatMap
fwdLoopDnatMap = toNftSet (concatMap
(fwd: map
(loopbackip:
with (splitIPPorts fwd.destination);
@ -62,8 +54,6 @@ let
)
fwd.loopbackIPs)
forwardPorts);
fwdLoopDnatMap = toFwdLoopDnatMap fwdPorts;
fwdLoopDnatRangeMap = toFwdLoopDnatMap fwdPortsRange;
# nftables set for port forward loopback snat
# daddr . l4proto . dport
@ -79,17 +69,11 @@ let
type nat hook prerouting priority dstnat;
${optionalString (fwdMap != "") ''
iifname "${cfg.externalInterface}" dnat meta l4proto . th dport map { ${fwdMap} } comment "port forward"
''}
${optionalString (fwdRangeMap != "") ''
iifname "${cfg.externalInterface}" dnat meta l4proto . th dport map { ${fwdRangeMap} } comment "port forward"
iifname "${cfg.externalInterface}" meta l4proto { tcp, udp } dnat meta l4proto . th dport map { ${fwdMap} } comment "port forward"
''}
${optionalString (fwdLoopDnatMap != "") ''
dnat ${ipVer} daddr . meta l4proto . th dport map { ${fwdLoopDnatMap} } comment "port forward loopback from other hosts behind NAT"
''}
${optionalString (fwdLoopDnatRangeMap != "") ''
dnat ${ipVer} daddr . meta l4proto . th dport map { ${fwdLoopDnatRangeMap} } comment "port forward loopback from other hosts behind NAT"
meta l4proto { tcp, udp } dnat ${ipVer} daddr . meta l4proto . th dport map { ${fwdLoopDnatMap} } comment "port forward loopback from other hosts behind NAT"
''}
${optionalString (dmzHost != null) ''
@ -116,10 +100,7 @@ let
type nat hook output priority mangle;
${optionalString (fwdLoopDnatMap != "") ''
dnat ${ipVer} daddr . meta l4proto . th dport map { ${fwdLoopDnatMap} } comment "port forward loopback from the host itself"
''}
${optionalString (fwdLoopDnatRangeMap != "") ''
dnat ${ipVer} daddr . meta l4proto . th dport map { ${fwdLoopDnatRangeMap} } comment "port forward loopback from the host itself"
meta l4proto { tcp, udp } dnat ${ipVer} daddr . meta l4proto . th dport map { ${fwdLoopDnatMap} } comment "port forward loopback from the host itself"
''}
}
'';