Merge pull request #266477 from duament/nixos-nat-nftables
nixos/nat: fix nat-nftables
This commit is contained in:
commit
7b1e146a49
@ -1,4 +1,4 @@
|
|||||||
{ config, lib, pkgs, ... }:
|
{ config, lib, ... }:
|
||||||
|
|
||||||
with lib;
|
with lib;
|
||||||
|
|
||||||
@ -35,26 +35,18 @@ let
|
|||||||
|
|
||||||
mkTable = { ipVer, dest, ipSet, forwardPorts, dmzHost }:
|
mkTable = { ipVer, dest, ipSet, forwardPorts, dmzHost }:
|
||||||
let
|
let
|
||||||
# nftables does not support both port and port range as values in a dnat map.
|
|
||||||
# e.g. "dnat th dport map { 80 : 10.0.0.1 . 80, 443 : 10.0.0.2 . 900-1000 }"
|
|
||||||
# So we split them.
|
|
||||||
fwdPorts = filter (x: length (splitString "-" x.destination) == 1) forwardPorts;
|
|
||||||
fwdPortsRange = filter (x: length (splitString "-" x.destination) > 1) forwardPorts;
|
|
||||||
|
|
||||||
# nftables maps for port forward
|
# nftables maps for port forward
|
||||||
# l4proto . dport : addr . port
|
# l4proto . dport : addr . port
|
||||||
toFwdMap = forwardPorts: toNftSet (map
|
fwdMap = toNftSet (map
|
||||||
(fwd:
|
(fwd:
|
||||||
with (splitIPPorts fwd.destination);
|
with (splitIPPorts fwd.destination);
|
||||||
"${fwd.proto} . ${toNftRange fwd.sourcePort} : ${IP} . ${ports}"
|
"${fwd.proto} . ${toNftRange fwd.sourcePort} : ${IP} . ${ports}"
|
||||||
)
|
)
|
||||||
forwardPorts);
|
forwardPorts);
|
||||||
fwdMap = toFwdMap fwdPorts;
|
|
||||||
fwdRangeMap = toFwdMap fwdPortsRange;
|
|
||||||
|
|
||||||
# nftables maps for port forward loopback dnat
|
# nftables maps for port forward loopback dnat
|
||||||
# daddr . l4proto . dport : addr . port
|
# daddr . l4proto . dport : addr . port
|
||||||
toFwdLoopDnatMap = forwardPorts: toNftSet (concatMap
|
fwdLoopDnatMap = toNftSet (concatMap
|
||||||
(fwd: map
|
(fwd: map
|
||||||
(loopbackip:
|
(loopbackip:
|
||||||
with (splitIPPorts fwd.destination);
|
with (splitIPPorts fwd.destination);
|
||||||
@ -62,8 +54,6 @@ let
|
|||||||
)
|
)
|
||||||
fwd.loopbackIPs)
|
fwd.loopbackIPs)
|
||||||
forwardPorts);
|
forwardPorts);
|
||||||
fwdLoopDnatMap = toFwdLoopDnatMap fwdPorts;
|
|
||||||
fwdLoopDnatRangeMap = toFwdLoopDnatMap fwdPortsRange;
|
|
||||||
|
|
||||||
# nftables set for port forward loopback snat
|
# nftables set for port forward loopback snat
|
||||||
# daddr . l4proto . dport
|
# daddr . l4proto . dport
|
||||||
@ -79,17 +69,11 @@ let
|
|||||||
type nat hook prerouting priority dstnat;
|
type nat hook prerouting priority dstnat;
|
||||||
|
|
||||||
${optionalString (fwdMap != "") ''
|
${optionalString (fwdMap != "") ''
|
||||||
iifname "${cfg.externalInterface}" dnat meta l4proto . th dport map { ${fwdMap} } comment "port forward"
|
iifname "${cfg.externalInterface}" meta l4proto { tcp, udp } dnat meta l4proto . th dport map { ${fwdMap} } comment "port forward"
|
||||||
''}
|
|
||||||
${optionalString (fwdRangeMap != "") ''
|
|
||||||
iifname "${cfg.externalInterface}" dnat meta l4proto . th dport map { ${fwdRangeMap} } comment "port forward"
|
|
||||||
''}
|
''}
|
||||||
|
|
||||||
${optionalString (fwdLoopDnatMap != "") ''
|
${optionalString (fwdLoopDnatMap != "") ''
|
||||||
dnat ${ipVer} daddr . meta l4proto . th dport map { ${fwdLoopDnatMap} } comment "port forward loopback from other hosts behind NAT"
|
meta l4proto { tcp, udp } dnat ${ipVer} daddr . meta l4proto . th dport map { ${fwdLoopDnatMap} } comment "port forward loopback from other hosts behind NAT"
|
||||||
''}
|
|
||||||
${optionalString (fwdLoopDnatRangeMap != "") ''
|
|
||||||
dnat ${ipVer} daddr . meta l4proto . th dport map { ${fwdLoopDnatRangeMap} } comment "port forward loopback from other hosts behind NAT"
|
|
||||||
''}
|
''}
|
||||||
|
|
||||||
${optionalString (dmzHost != null) ''
|
${optionalString (dmzHost != null) ''
|
||||||
@ -116,10 +100,7 @@ let
|
|||||||
type nat hook output priority mangle;
|
type nat hook output priority mangle;
|
||||||
|
|
||||||
${optionalString (fwdLoopDnatMap != "") ''
|
${optionalString (fwdLoopDnatMap != "") ''
|
||||||
dnat ${ipVer} daddr . meta l4proto . th dport map { ${fwdLoopDnatMap} } comment "port forward loopback from the host itself"
|
meta l4proto { tcp, udp } dnat ${ipVer} daddr . meta l4proto . th dport map { ${fwdLoopDnatMap} } comment "port forward loopback from the host itself"
|
||||||
''}
|
|
||||||
${optionalString (fwdLoopDnatRangeMap != "") ''
|
|
||||||
dnat ${ipVer} daddr . meta l4proto . th dport map { ${fwdLoopDnatRangeMap} } comment "port forward loopback from the host itself"
|
|
||||||
''}
|
''}
|
||||||
}
|
}
|
||||||
'';
|
'';
|
||||||
|
Loading…
Reference in New Issue
Block a user