pyrox.dev / nixpkgs
lol
fork atom

nixos: fix ip46tables invocation in nat

Bernardo Meurer 5ee439eb 367676ce

options
unified split
Changed files
+18 -13
nixos
modules
services
networking
firewall.nix
helpers.nix
nat.nix
+3 -12
nixos/modules/services/networking/firewall.nix 
···

       
42

       
 

       



     

       
43

       
 

       
  kernelHasRPFilter = ((kernel.config.isEnabled or (x: false)) "IP_NF_MATCH_RPFILTER") || (kernel.features.netfilterRPFilter or false);


     

       
44

       
 

       



     

       
45

       
-

       
  helpers =


     

       
46

       
-

       
    ''


     

       
47

       
-

       
      # Helper command to manipulate both the IPv4 and IPv6 tables.


     

       
48

       
-

       
      ip46tables() {


     

       
49

       
-

       
        iptables -w "$@"


     

       
50

       
-

       
        ${optionalString config.networking.enableIPv6 ''


     

       
51

       
-

       
          ip6tables -w "$@"


     

       
52

       
-

       
        ''}


     

       
53

       
-

       
      }


     

       
54

       
-

       
    '';


     

       
55

       
 

       



     

       
56

       
 

       
  writeShScript = name: text: let dir = pkgs.writeScriptBin name ''


     

       
57

       
 

       
    #! ${pkgs.runtimeShell} -e


     
···

       
271

       
 

       
      apply = canonicalizePortList;


     

       
272

       
 

       
      example = [ 22 80 ];


     

       
273

       
 

       
      description =


     

       
274

       
-

       
        '' 


     

       
275

       
 

       
          List of TCP ports on which incoming connections are


     

       
276

       
 

       
          accepted.


     

       
277

       
 

       
        '';


     
···

       
282

       
 

       
      default = [ ];


     

       
283

       
 

       
      example = [ { from = 8999; to = 9003; } ];


     

       
284

       
 

       
      description =


     

       
285

       
-

       
        '' 


     

       
286

       
 

       
          A range of TCP ports on which incoming connections are


     

       
287

       
 

       
          accepted.


     

       
288

       
 

       
        '';


     
···

       
42

       
 

       



     

       
43

       
 

       
  kernelHasRPFilter = ((kernel.config.isEnabled or (x: false)) "IP_NF_MATCH_RPFILTER") || (kernel.features.netfilterRPFilter or false);


     

       
44

       
 

       



     

       
45

       
+

       
  helpers = import ./helpers.nix { inherit config lib; };


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
46

       
 

       



     

       
47

       
 

       
  writeShScript = name: text: let dir = pkgs.writeScriptBin name ''


     

       
48

       
 

       
    #! ${pkgs.runtimeShell} -e


     
···

       
262

       
 

       
      apply = canonicalizePortList;


     

       
263

       
 

       
      example = [ 22 80 ];


     

       
264

       
 

       
      description =


     

       
265

       
+

       
        ''


     

       
266

       
 

       
          List of TCP ports on which incoming connections are


     

       
267

       
 

       
          accepted.


     

       
268

       
 

       
        '';


     
···

       
273

       
 

       
      default = [ ];


     

       
274

       
 

       
      example = [ { from = 8999; to = 9003; } ];


     

       
275

       
 

       
      description =


     

       
276

       
+

       
        ''


     

       
277

       
 

       
          A range of TCP ports on which incoming connections are


     

       
278

       
 

       
          accepted.


     

       
279

       
 

       
        '';
+11
nixos/modules/services/networking/helpers.nix 
···

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     
···

       
1

       
+

       
{ config, lib, ... }: ''


     

       
2

       
+

       
  # Helper command to manipulate both the IPv4 and IPv6 tables.


     

       
3

       
+

       
  ip46tables() {


     

       
4

       
+

       
    iptables -w "$@"


     

       
5

       
+

       
    ${


     

       
6

       
+

       
      lib.optionalString config.networking.enableIPv6 ''


     

       
7

       
+

       
        ip6tables -w "$@"


     

       
8

       
+

       
      ''


     

       
9

       
+

       
    }


     

       
10

       
+

       
  }


     

       
11

       
+

       
''
+4 -1
nixos/modules/services/networking/nat.nix 
···

       
7

       
 

       
with lib;


     

       
8

       
 

       



     

       
9

       
 

       
let


     

       
10

       
-

       



     

       
11

       
 

       
  cfg = config.networking.nat;


     

       
12

       
 

       



     

       
13

       
 

       
  dest = if cfg.externalIP == null then "-j MASQUERADE" else "-j SNAT --to-source ${cfg.externalIP}";


     

       
14

       
 

       



     

       

       

       
     

       

       

       
     

       
15

       
 

       
  flushNat = ''


     

       

       

       
     

       
16

       
 

       
    ip46tables -w -t nat -D PREROUTING -j nixos-nat-pre 2>/dev/null|| true


     

       
17

       
 

       
    ip46tables -w -t nat -F nixos-nat-pre 2>/dev/null || true


     

       
18

       
 

       
    ip46tables -w -t nat -X nixos-nat-pre 2>/dev/null || true


     
···

       
27

       
 

       
  '';


     

       
28

       
 

       



     

       
29

       
 

       
  setupNat = ''


     

       

       

       
     

       
30

       
 

       
    # Create subchain where we store rules


     

       
31

       
 

       
    ip46tables -w -t nat -N nixos-nat-pre


     

       
32

       
 

       
    ip46tables -w -t nat -N nixos-nat-post


     
···

       
7

       
 

       
with lib;


     

       
8

       
 

       



     

       
9

       
 

       
let


     

       

       

       
     

       
10

       
 

       
  cfg = config.networking.nat;


     

       
11

       
 

       



     

       
12

       
 

       
  dest = if cfg.externalIP == null then "-j MASQUERADE" else "-j SNAT --to-source ${cfg.externalIP}";


     

       
13

       
 

       



     

       
14

       
+

       
  helpers = import ./helpers.nix { inherit config lib; };


     

       
15

       
+

       



     

       
16

       
 

       
  flushNat = ''


     

       
17

       
+

       
    ${helpers}


     

       
18

       
 

       
    ip46tables -w -t nat -D PREROUTING -j nixos-nat-pre 2>/dev/null|| true


     

       
19

       
 

       
    ip46tables -w -t nat -F nixos-nat-pre 2>/dev/null || true


     

       
20

       
 

       
    ip46tables -w -t nat -X nixos-nat-pre 2>/dev/null || true


     
···

       
29

       
 

       
  '';


     

       
30

       
 

       



     

       
31

       
 

       
  setupNat = ''


     

       
32

       
+

       
    ${helpers}


     

       
33

       
 

       
    # Create subchain where we store rules


     

       
34

       
 

       
    ip46tables -w -t nat -N nixos-nat-pre


     

       
35

       
 

       
    ip46tables -w -t nat -N nixos-nat-post