pyrox.dev / nixpkgs
lol
fork atom

Merge pull request #32258 from ryantrinkle/add-nat-extraCommands

nat: add extraCommands option

Ryan Trinkle f1a6fa6e 58f9fd64

options
unified split
Changed files
+26
nixos
modules
services
networking
nat.nix
+26
nixos/modules/services/networking/nat.nix 
···

       
19

       
19

       
 

       
    iptables -w -t nat -D POSTROUTING -j nixos-nat-post 2>/dev/null || true


     

       
20

       
20

       
 

       
    iptables -w -t nat -F nixos-nat-post 2>/dev/null || true


     

       
21

       
21

       
 

       
    iptables -w -t nat -X nixos-nat-post 2>/dev/null || true


     

       

       
22

       
+

       



     

       

       
23

       
+

       
    ${cfg.extraStopCommands}


     

       
22

       
24

       
 

       
  '';


     

       
23

       
25

       
 

       



     

       
24

       
26

       
 

       
  setupNat = ''


     
···

       
58

       
60

       
 

       
        -i ${cfg.externalInterface} -j DNAT \


     

       
59

       
61

       
 

       
	--to-destination ${cfg.dmzHost}


     

       
60

       
62

       
 

       
    ''}


     

       

       
63

       
+

       



     

       

       
64

       
+

       
    ${cfg.extraCommands}


     

       
61

       
65

       
 

       



     

       
62

       
66

       
 

       
    # Append our chains to the nat tables


     

       
63

       
67

       
 

       
    iptables -w -t nat -A PREROUTING -j nixos-nat-pre


     
···

       
167

       
171

       
 

       
        ''


     

       
168

       
172

       
 

       
          The local IP address to which all traffic that does not match any


     

       
169

       
173

       
 

       
          forwarding rule is forwarded.


     

       

       
174

       
+

       
        '';


     

       

       
175

       
+

       
    };


     

       

       
176

       
+

       



     

       

       
177

       
+

       
    networking.nat.extraCommands = mkOption {


     

       

       
178

       
+

       
      type = types.lines;


     

       

       
179

       
+

       
      default = "";


     

       

       
180

       
+

       
      example = "iptables -A INPUT -p icmp -j ACCEPT";


     

       

       
181

       
+

       
      description =


     

       

       
182

       
+

       
        ''


     

       

       
183

       
+

       
          Additional shell commands executed as part of the nat


     

       

       
184

       
+

       
          initialisation script.


     

       

       
185

       
+

       
        '';


     

       

       
186

       
+

       
    };


     

       

       
187

       
+

       



     

       

       
188

       
+

       
    networking.nat.extraStopCommands = mkOption {


     

       

       
189

       
+

       
      type = types.lines;


     

       

       
190

       
+

       
      default = "";


     

       

       
191

       
+

       
      example = "iptables -D INPUT -p icmp -j ACCEPT || true";


     

       

       
192

       
+

       
      description =


     

       

       
193

       
+

       
        ''


     

       

       
194

       
+

       
          Additional shell commands executed as part of the nat


     

       

       
195

       
+

       
          teardown script.


     

       
170

       
196

       
 

       
        '';


     

       
171

       
197

       
 

       
    };


     

       
172

       
198