Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: NixOS/nixpkgs
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: 3cc9445e56fa
Choose a base ref
...
head repository: NixOS/nixpkgs
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: 3942cbea6717
Choose a head ref
  • 2 commits
  • 1 file changed
  • 2 contributors

Commits on Feb 19, 2018

  1. nixos/nat: support nat reflection

    volth committed Feb 19, 2018
    Copy the full SHA
    328f8a6 View commit details

Commits on Feb 20, 2018

  1. Merge pull request #35161 from volth/patch-92 

    nixos/nat: support nat reflection
    @fpletz
    fpletz authored Feb 20, 2018

    Verified

    This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
    GPG key ID: 4AEE18F83AFDEB23
    Expired
    Verified
    Learn about vigilant mode
    Copy the full SHA
    3942cbe View commit details
Showing with 32 additions and 1 deletion.
  1. +32 −1 nixos/modules/services/networking/nat.nix
33 changes: 32 additions & 1 deletion nixos/modules/services/networking/nat.nix
View file
Original file line number Diff line number Diff line change
@@ -53,12 +53,36 @@ let
-i ${cfg.externalInterface} -p ${fwd.proto} \
--dport ${builtins.toString fwd.sourcePort} \
-j DNAT --to-destination ${fwd.destination}
${concatMapStrings (loopbackip:
let
m = builtins.match "([0-9.]+):([0-9-]+)" fwd.destination;
destinationIP = if (m == null) then throw "bad ip:ports `${fwd.destination}'" else elemAt m 0;
destinationPorts = if (m == null) then throw "bad ip:ports `${fwd.destination}'" else elemAt m 1;
in ''
# Allow connections to ${loopbackip}:${toString fwd.sourcePort} from the host itself
iptables -w -t nat -A OUTPUT \
-d ${loopbackip} -p ${fwd.proto} \
--dport ${builtins.toString fwd.sourcePort} \
-j DNAT --to-destination ${fwd.destination}
# Allow connections to ${loopbackip}:${toString fwd.sourcePort} from other hosts behind NAT
iptables -w -t nat -A nixos-nat-pre \
-d ${loopbackip} -p ${fwd.proto} \
--dport ${builtins.toString fwd.sourcePort} \
-j DNAT --to-destination ${fwd.destination}
iptables -w -t nat -A nixos-nat-post \
-d ${destinationIP} -p ${fwd.proto} \
--dport ${destinationPorts} \
-j SNAT --to-source ${loopbackip}
'') fwd.loopbackIPs}
'') cfg.forwardPorts}
${optionalString (cfg.dmzHost != null) ''
iptables -w -t nat -A nixos-nat-pre \
-i ${cfg.externalInterface} -j DNAT \
--to-destination ${cfg.dmzHost}
--to-destination ${cfg.dmzHost}
''}
${cfg.extraCommands}
@@ -152,6 +176,13 @@ in
example = "udp";
description = "Protocol of forwarded connection";
};

loopbackIPs = mkOption {
type = types.listOf types.str;
default = [];
example = literalExample ''[ "55.1.2.3" ]'';
description = "Public IPs for NAT reflection; for connections to `loopbackip:sourcePort' from the host itself and from other hosts behind NAT";
};
};
});
default = [];