diff options
author | Franz Pletz <fpletz@fnordicwalking.de> | 2016-05-10 01:06:16 +0200 |
---|---|---|
committer | Franz Pletz <fpletz@fnordicwalking.de> | 2016-05-12 01:52:13 +0200 |
commit | 431a98b12b5e1cc51181da815870dda5e23709f8 (patch) | |
tree | 85764f81803b136c5d2666abb3d85b0587d867e9 | |
parent | 59555ce4ee632e635d92543f87955bf7fc954b0f (diff) | |
download | nixlib-431a98b12b5e1cc51181da815870dda5e23709f8.tar nixlib-431a98b12b5e1cc51181da815870dda5e23709f8.tar.gz nixlib-431a98b12b5e1cc51181da815870dda5e23709f8.tar.bz2 nixlib-431a98b12b5e1cc51181da815870dda5e23709f8.tar.lz nixlib-431a98b12b5e1cc51181da815870dda5e23709f8.tar.xz nixlib-431a98b12b5e1cc51181da815870dda5e23709f8.tar.zst nixlib-431a98b12b5e1cc51181da815870dda5e23709f8.zip |
nixos/nat: Allow nat without an externalInterface
-rw-r--r-- | nixos/modules/services/networking/nat.nix | 13 |
1 files changed, 9 insertions, 4 deletions
diff --git a/nixos/modules/services/networking/nat.nix b/nixos/modules/services/networking/nat.nix index 9d163e60d5ea..f35b0f68e3ef 100644 --- a/nixos/modules/services/networking/nat.nix +++ b/nixos/modules/services/networking/nat.nix @@ -12,6 +12,9 @@ let dest = if cfg.externalIP == null then "-j MASQUERADE" else "-j SNAT --to-source ${cfg.externalIP}"; + externalInterfaceFilter = param: + optionalString (cfg.externalInterface != null) "${param} ${cfg.externalInterface}"; + flushNat = '' iptables -w -t nat -D PREROUTING -j nixos-nat-pre 2>/dev/null|| true iptables -w -t nat -F nixos-nat-pre 2>/dev/null || true @@ -36,19 +39,20 @@ let # NAT the marked packets. ${optionalString (cfg.internalInterfaces != []) '' iptables -w -t nat -A nixos-nat-post -m mark --mark 1 \ - -o ${cfg.externalInterface} ${dest} + ${externalInterfaceFilter "-o"} ${dest} ''} # NAT packets coming from the internal IPs. ${concatMapStrings (range: '' iptables -w -t nat -A nixos-nat-post \ - -s '${range}' -o ${cfg.externalInterface} ${dest} + -s '${range}' \! -d '${range}' + ${externalInterfaceFilter "-o"} ${dest} '') cfg.internalIPs} # NAT from external ports to internal ports. ${concatMapStrings (fwd: '' iptables -w -t nat -A nixos-nat-pre \ - -i ${cfg.externalInterface} -p tcp \ + ${externalInterfaceFilter "-i"} -p tcp \ --dport ${builtins.toString fwd.sourcePort} \ -j DNAT --to-destination ${fwd.destination} '') cfg.forwardPorts} @@ -100,7 +104,8 @@ in }; networking.nat.externalInterface = mkOption { - type = types.str; + type = types.nullOr types.str; + default = null; example = "eth1"; description = '' |