Loading nixos/modules/services/networking/nat-nftables.nix +6 −25 Original line number Diff line number Diff line { config, lib, pkgs, ... }: { config, lib, ... }: with lib; Loading Loading @@ -35,26 +35,18 @@ let mkTable = { ipVer, dest, ipSet, forwardPorts, dmzHost }: let # nftables does not support both port and port range as values in a dnat map. # e.g. "dnat th dport map { 80 : 10.0.0.1 . 80, 443 : 10.0.0.2 . 900-1000 }" # So we split them. fwdPorts = filter (x: length (splitString "-" x.destination) == 1) forwardPorts; fwdPortsRange = filter (x: length (splitString "-" x.destination) > 1) forwardPorts; # nftables maps for port forward # l4proto . dport : addr . port toFwdMap = forwardPorts: toNftSet (map fwdMap = toNftSet (map (fwd: with (splitIPPorts fwd.destination); "${fwd.proto} . ${toNftRange fwd.sourcePort} : ${IP} . ${ports}" ) forwardPorts); fwdMap = toFwdMap fwdPorts; fwdRangeMap = toFwdMap fwdPortsRange; # nftables maps for port forward loopback dnat # daddr . l4proto . dport : addr . port toFwdLoopDnatMap = forwardPorts: toNftSet (concatMap fwdLoopDnatMap = toNftSet (concatMap (fwd: map (loopbackip: with (splitIPPorts fwd.destination); Loading @@ -62,8 +54,6 @@ let ) fwd.loopbackIPs) forwardPorts); fwdLoopDnatMap = toFwdLoopDnatMap fwdPorts; fwdLoopDnatRangeMap = toFwdLoopDnatMap fwdPortsRange; # nftables set for port forward loopback snat # daddr . l4proto . dport Loading @@ -79,17 +69,11 @@ let type nat hook prerouting priority dstnat; ${optionalString (fwdMap != "") '' iifname "${cfg.externalInterface}" dnat meta l4proto . th dport map { ${fwdMap} } comment "port forward" ''} ${optionalString (fwdRangeMap != "") '' iifname "${cfg.externalInterface}" dnat meta l4proto . th dport map { ${fwdRangeMap} } comment "port forward" iifname "${cfg.externalInterface}" meta l4proto { tcp, udp } dnat meta l4proto . th dport map { ${fwdMap} } comment "port forward" ''} ${optionalString (fwdLoopDnatMap != "") '' dnat ${ipVer} daddr . meta l4proto . th dport map { ${fwdLoopDnatMap} } comment "port forward loopback from other hosts behind NAT" ''} ${optionalString (fwdLoopDnatRangeMap != "") '' dnat ${ipVer} daddr . meta l4proto . th dport map { ${fwdLoopDnatRangeMap} } comment "port forward loopback from other hosts behind NAT" meta l4proto { tcp, udp } dnat ${ipVer} daddr . meta l4proto . th dport map { ${fwdLoopDnatMap} } comment "port forward loopback from other hosts behind NAT" ''} ${optionalString (dmzHost != null) '' Loading @@ -116,10 +100,7 @@ let type nat hook output priority mangle; ${optionalString (fwdLoopDnatMap != "") '' dnat ${ipVer} daddr . meta l4proto . th dport map { ${fwdLoopDnatMap} } comment "port forward loopback from the host itself" ''} ${optionalString (fwdLoopDnatRangeMap != "") '' dnat ${ipVer} daddr . meta l4proto . th dport map { ${fwdLoopDnatRangeMap} } comment "port forward loopback from the host itself" meta l4proto { tcp, udp } dnat ${ipVer} daddr . meta l4proto . th dport map { ${fwdLoopDnatMap} } comment "port forward loopback from the host itself" ''} } ''; Loading Loading
nixos/modules/services/networking/nat-nftables.nix +6 −25 Original line number Diff line number Diff line { config, lib, pkgs, ... }: { config, lib, ... }: with lib; Loading Loading @@ -35,26 +35,18 @@ let mkTable = { ipVer, dest, ipSet, forwardPorts, dmzHost }: let # nftables does not support both port and port range as values in a dnat map. # e.g. "dnat th dport map { 80 : 10.0.0.1 . 80, 443 : 10.0.0.2 . 900-1000 }" # So we split them. fwdPorts = filter (x: length (splitString "-" x.destination) == 1) forwardPorts; fwdPortsRange = filter (x: length (splitString "-" x.destination) > 1) forwardPorts; # nftables maps for port forward # l4proto . dport : addr . port toFwdMap = forwardPorts: toNftSet (map fwdMap = toNftSet (map (fwd: with (splitIPPorts fwd.destination); "${fwd.proto} . ${toNftRange fwd.sourcePort} : ${IP} . ${ports}" ) forwardPorts); fwdMap = toFwdMap fwdPorts; fwdRangeMap = toFwdMap fwdPortsRange; # nftables maps for port forward loopback dnat # daddr . l4proto . dport : addr . port toFwdLoopDnatMap = forwardPorts: toNftSet (concatMap fwdLoopDnatMap = toNftSet (concatMap (fwd: map (loopbackip: with (splitIPPorts fwd.destination); Loading @@ -62,8 +54,6 @@ let ) fwd.loopbackIPs) forwardPorts); fwdLoopDnatMap = toFwdLoopDnatMap fwdPorts; fwdLoopDnatRangeMap = toFwdLoopDnatMap fwdPortsRange; # nftables set for port forward loopback snat # daddr . l4proto . dport Loading @@ -79,17 +69,11 @@ let type nat hook prerouting priority dstnat; ${optionalString (fwdMap != "") '' iifname "${cfg.externalInterface}" dnat meta l4proto . th dport map { ${fwdMap} } comment "port forward" ''} ${optionalString (fwdRangeMap != "") '' iifname "${cfg.externalInterface}" dnat meta l4proto . th dport map { ${fwdRangeMap} } comment "port forward" iifname "${cfg.externalInterface}" meta l4proto { tcp, udp } dnat meta l4proto . th dport map { ${fwdMap} } comment "port forward" ''} ${optionalString (fwdLoopDnatMap != "") '' dnat ${ipVer} daddr . meta l4proto . th dport map { ${fwdLoopDnatMap} } comment "port forward loopback from other hosts behind NAT" ''} ${optionalString (fwdLoopDnatRangeMap != "") '' dnat ${ipVer} daddr . meta l4proto . th dport map { ${fwdLoopDnatRangeMap} } comment "port forward loopback from other hosts behind NAT" meta l4proto { tcp, udp } dnat ${ipVer} daddr . meta l4proto . th dport map { ${fwdLoopDnatMap} } comment "port forward loopback from other hosts behind NAT" ''} ${optionalString (dmzHost != null) '' Loading @@ -116,10 +100,7 @@ let type nat hook output priority mangle; ${optionalString (fwdLoopDnatMap != "") '' dnat ${ipVer} daddr . meta l4proto . th dport map { ${fwdLoopDnatMap} } comment "port forward loopback from the host itself" ''} ${optionalString (fwdLoopDnatRangeMap != "") '' dnat ${ipVer} daddr . meta l4proto . th dport map { ${fwdLoopDnatRangeMap} } comment "port forward loopback from the host itself" meta l4proto { tcp, udp } dnat ${ipVer} daddr . meta l4proto . th dport map { ${fwdLoopDnatMap} } comment "port forward loopback from the host itself" ''} } ''; Loading
