diff options
author | Alyssa Ross <hi@alyssa.is> | 2023-12-01 19:00:09 +0100 |
---|---|---|
committer | Alyssa Ross <hi@alyssa.is> | 2023-12-01 19:00:09 +0100 |
commit | 9e9b07490d5bab5d115c66b80bdb10ff0c11ed8d (patch) | |
tree | 4368f9e4cb2d5b93a956c085337e45cb70f1e331 /nixpkgs/nixos/modules/services/networking/nat-nftables.nix | |
parent | a9cbfb6941b47d6f50129e6e36927882392daed7 (diff) | |
parent | 2344fe1da14cb08b0c18743b207995f9b8597915 (diff) | |
download | nixlib-9e9b07490d5bab5d115c66b80bdb10ff0c11ed8d.tar nixlib-9e9b07490d5bab5d115c66b80bdb10ff0c11ed8d.tar.gz nixlib-9e9b07490d5bab5d115c66b80bdb10ff0c11ed8d.tar.bz2 nixlib-9e9b07490d5bab5d115c66b80bdb10ff0c11ed8d.tar.lz nixlib-9e9b07490d5bab5d115c66b80bdb10ff0c11ed8d.tar.xz nixlib-9e9b07490d5bab5d115c66b80bdb10ff0c11ed8d.tar.zst nixlib-9e9b07490d5bab5d115c66b80bdb10ff0c11ed8d.zip |
Merge https://github.com/NixOS/nixpkgs
Diffstat (limited to 'nixpkgs/nixos/modules/services/networking/nat-nftables.nix')
-rw-r--r-- | nixpkgs/nixos/modules/services/networking/nat-nftables.nix | 31 |
1 files changed, 6 insertions, 25 deletions
diff --git a/nixpkgs/nixos/modules/services/networking/nat-nftables.nix b/nixpkgs/nixos/modules/services/networking/nat-nftables.nix index 4b2317ca2ffc..7aa93d8a64b1 100644 --- a/nixpkgs/nixos/modules/services/networking/nat-nftables.nix +++ b/nixpkgs/nixos/modules/services/networking/nat-nftables.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, ... }: +{ config, lib, ... }: with lib; @@ -35,26 +35,18 @@ let mkTable = { ipVer, dest, ipSet, forwardPorts, dmzHost }: let - # nftables does not support both port and port range as values in a dnat map. - # e.g. "dnat th dport map { 80 : 10.0.0.1 . 80, 443 : 10.0.0.2 . 900-1000 }" - # So we split them. - fwdPorts = filter (x: length (splitString "-" x.destination) == 1) forwardPorts; - fwdPortsRange = filter (x: length (splitString "-" x.destination) > 1) forwardPorts; - # nftables maps for port forward # l4proto . dport : addr . port - toFwdMap = forwardPorts: toNftSet (map + fwdMap = toNftSet (map (fwd: with (splitIPPorts fwd.destination); "${fwd.proto} . ${toNftRange fwd.sourcePort} : ${IP} . ${ports}" ) forwardPorts); - fwdMap = toFwdMap fwdPorts; - fwdRangeMap = toFwdMap fwdPortsRange; # nftables maps for port forward loopback dnat # daddr . l4proto . dport : addr . port - toFwdLoopDnatMap = forwardPorts: toNftSet (concatMap + fwdLoopDnatMap = toNftSet (concatMap (fwd: map (loopbackip: with (splitIPPorts fwd.destination); @@ -62,8 +54,6 @@ let ) fwd.loopbackIPs) forwardPorts); - fwdLoopDnatMap = toFwdLoopDnatMap fwdPorts; - fwdLoopDnatRangeMap = toFwdLoopDnatMap fwdPortsRange; # nftables set for port forward loopback snat # daddr . l4proto . dport @@ -79,17 +69,11 @@ let type nat hook prerouting priority dstnat; ${optionalString (fwdMap != "") '' - iifname "${cfg.externalInterface}" dnat meta l4proto . th dport map { ${fwdMap} } comment "port forward" - ''} - ${optionalString (fwdRangeMap != "") '' - iifname "${cfg.externalInterface}" dnat meta l4proto . th dport map { ${fwdRangeMap} } comment "port forward" + iifname "${cfg.externalInterface}" meta l4proto { tcp, udp } dnat meta l4proto . th dport map { ${fwdMap} } comment "port forward" ''} ${optionalString (fwdLoopDnatMap != "") '' - dnat ${ipVer} daddr . meta l4proto . th dport map { ${fwdLoopDnatMap} } comment "port forward loopback from other hosts behind NAT" - ''} - ${optionalString (fwdLoopDnatRangeMap != "") '' - dnat ${ipVer} daddr . meta l4proto . th dport map { ${fwdLoopDnatRangeMap} } comment "port forward loopback from other hosts behind NAT" + meta l4proto { tcp, udp } dnat ${ipVer} daddr . meta l4proto . th dport map { ${fwdLoopDnatMap} } comment "port forward loopback from other hosts behind NAT" ''} ${optionalString (dmzHost != null) '' @@ -116,10 +100,7 @@ let type nat hook output priority mangle; ${optionalString (fwdLoopDnatMap != "") '' - dnat ${ipVer} daddr . meta l4proto . th dport map { ${fwdLoopDnatMap} } comment "port forward loopback from the host itself" - ''} - ${optionalString (fwdLoopDnatRangeMap != "") '' - dnat ${ipVer} daddr . meta l4proto . th dport map { ${fwdLoopDnatRangeMap} } comment "port forward loopback from the host itself" + meta l4proto { tcp, udp } dnat ${ipVer} daddr . meta l4proto . th dport map { ${fwdLoopDnatMap} } comment "port forward loopback from the host itself" ''} } ''; |