diff options
| author | Bernardo Meurer <meurerbernardo@gmail.com> | 2019-12-14 20:10:17 -0800 |
|---|---|---|
| committer | Bernardo Meurer <meurerbernardo@gmail.com> | 2019-12-14 20:13:12 -0800 |
| commit | 5ee439eb0807353fdd7725aaa409bb4170bb5d05 (patch) | |
| tree | 9eccbc82cf3f6d4da1a16565ec2b281b30c74ae1 /nixos | |
| parent | 367676ce82b3b5e63f322b335ed8a2bc3b4216bc (diff) | |
| download | nixlib-5ee439eb0807353fdd7725aaa409bb4170bb5d05.tar nixlib-5ee439eb0807353fdd7725aaa409bb4170bb5d05.tar.gz nixlib-5ee439eb0807353fdd7725aaa409bb4170bb5d05.tar.bz2 nixlib-5ee439eb0807353fdd7725aaa409bb4170bb5d05.tar.lz nixlib-5ee439eb0807353fdd7725aaa409bb4170bb5d05.tar.xz nixlib-5ee439eb0807353fdd7725aaa409bb4170bb5d05.tar.zst nixlib-5ee439eb0807353fdd7725aaa409bb4170bb5d05.zip | |
nixos: fix ip46tables invocation in nat
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/modules/services/networking/firewall.nix | 15 | ||||
| -rw-r--r-- | nixos/modules/services/networking/helpers.nix | 11 | ||||
| -rw-r--r-- | nixos/modules/services/networking/nat.nix | 5 |
3 files changed, 18 insertions, 13 deletions
diff --git a/nixos/modules/services/networking/firewall.nix b/nixos/modules/services/networking/firewall.nix index 5919962837a2..15aaf7410674 100644 --- a/nixos/modules/services/networking/firewall.nix +++ b/nixos/modules/services/networking/firewall.nix @@ -42,16 +42,7 @@ let kernelHasRPFilter = ((kernel.config.isEnabled or (x: false)) "IP_NF_MATCH_RPFILTER") || (kernel.features.netfilterRPFilter or false); - helpers = - '' - # Helper command to manipulate both the IPv4 and IPv6 tables. - ip46tables() { - iptables -w "$@" - ${optionalString config.networking.enableIPv6 '' - ip6tables -w "$@" - ''} - } - ''; + helpers = import ./helpers.nix { inherit config lib; }; writeShScript = name: text: let dir = pkgs.writeScriptBin name '' #! ${pkgs.runtimeShell} -e @@ -271,7 +262,7 @@ let apply = canonicalizePortList; example = [ 22 80 ]; description = - '' + '' List of TCP ports on which incoming connections are accepted. ''; @@ -282,7 +273,7 @@ let default = [ ]; example = [ { from = 8999; to = 9003; } ]; description = - '' + '' A range of TCP ports on which incoming connections are accepted. ''; diff --git a/nixos/modules/services/networking/helpers.nix b/nixos/modules/services/networking/helpers.nix new file mode 100644 index 000000000000..d7d42de0e3a8 --- /dev/null +++ b/nixos/modules/services/networking/helpers.nix @@ -0,0 +1,11 @@ +{ config, lib, ... }: '' + # Helper command to manipulate both the IPv4 and IPv6 tables. + ip46tables() { + iptables -w "$@" + ${ + lib.optionalString config.networking.enableIPv6 '' + ip6tables -w "$@" + '' + } + } +'' diff --git a/nixos/modules/services/networking/nat.nix b/nixos/modules/services/networking/nat.nix index c80db8472f0d..f1238bc6b168 100644 --- a/nixos/modules/services/networking/nat.nix +++ b/nixos/modules/services/networking/nat.nix @@ -7,12 +7,14 @@ with lib; let - cfg = config.networking.nat; dest = if cfg.externalIP == null then "-j MASQUERADE" else "-j SNAT --to-source ${cfg.externalIP}"; + helpers = import ./helpers.nix { inherit config lib; }; + flushNat = '' + ${helpers} ip46tables -w -t nat -D PREROUTING -j nixos-nat-pre 2>/dev/null|| true ip46tables -w -t nat -F nixos-nat-pre 2>/dev/null || true ip46tables -w -t nat -X nixos-nat-pre 2>/dev/null || true @@ -27,6 +29,7 @@ let ''; setupNat = '' + ${helpers} # Create subchain where we store rules ip46tables -w -t nat -N nixos-nat-pre ip46tables -w -t nat -N nixos-nat-post |