Merge pull request #266477 from duament/nixos-nat-nftables

nixos/nat: fix nat-nftables
2025-02-02 02:03:21 +00:00 · 2023-11-25 12:58:48 +01:00 · 2023-11-25 12:58:48 +01:00 · 7b1e146a49
commit 7b1e146a49
parent 6a4146286a 92ee71866f
1 changed files with 6 additions and 25 deletions
--- a/nixos/modules/services/networking/nat-nftables.nix
+++ b/nixos/modules/services/networking/nat-nftables.nix
@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, ... }:

 with lib;

@ -35,26 +35,18 @@ let

  mkTable = { ipVer, dest, ipSet, forwardPorts, dmzHost }:
    let
-      # nftables does not support both port and port range as values in a dnat map.
-      # e.g. "dnat th dport map { 80 : 10.0.0.1 . 80, 443 : 10.0.0.2 . 900-1000 }"
-      # So we split them.
-      fwdPorts = filter (x: length (splitString "-" x.destination) == 1) forwardPorts;
-      fwdPortsRange = filter (x: length (splitString "-" x.destination) > 1) forwardPorts;
-
      # nftables maps for port forward
      # l4proto . dport : addr . port
-      toFwdMap = forwardPorts: toNftSet (map
+      fwdMap = toNftSet (map
        (fwd:
          with (splitIPPorts fwd.destination);
          "${fwd.proto} . ${toNftRange fwd.sourcePort} : ${IP} . ${ports}"
        )
        forwardPorts);
-      fwdMap = toFwdMap fwdPorts;
-      fwdRangeMap = toFwdMap fwdPortsRange;

      # nftables maps for port forward loopback dnat
      # daddr . l4proto . dport : addr . port
-      toFwdLoopDnatMap = forwardPorts: toNftSet (concatMap
+      fwdLoopDnatMap = toNftSet (concatMap
        (fwd: map
          (loopbackip:
            with (splitIPPorts fwd.destination);
@ -62,8 +54,6 @@ let
          )
          fwd.loopbackIPs)
        forwardPorts);
-      fwdLoopDnatMap = toFwdLoopDnatMap fwdPorts;
-      fwdLoopDnatRangeMap = toFwdLoopDnatMap fwdPortsRange;

      # nftables set for port forward loopback snat
      # daddr . l4proto . dport
@ -79,17 +69,11 @@ let
        type nat hook prerouting priority dstnat;

        ${optionalString (fwdMap != "") ''
-          iifname "${cfg.externalInterface}" dnat meta l4proto . th dport map { ${fwdMap} } comment "port forward"
-        ''}
-        ${optionalString (fwdRangeMap != "") ''
-          iifname "${cfg.externalInterface}" dnat meta l4proto . th dport map { ${fwdRangeMap} } comment "port forward"
+          iifname "${cfg.externalInterface}" meta l4proto { tcp, udp } dnat meta l4proto . th dport map { ${fwdMap} } comment "port forward"
        ''}

        ${optionalString (fwdLoopDnatMap != "") ''
-          dnat ${ipVer} daddr . meta l4proto . th dport map { ${fwdLoopDnatMap} } comment "port forward loopback from other hosts behind NAT"
-        ''}
-        ${optionalString (fwdLoopDnatRangeMap != "") ''
-          dnat ${ipVer} daddr . meta l4proto . th dport map { ${fwdLoopDnatRangeMap} } comment "port forward loopback from other hosts behind NAT"
+          meta l4proto { tcp, udp } dnat ${ipVer} daddr . meta l4proto . th dport map { ${fwdLoopDnatMap} } comment "port forward loopback from other hosts behind NAT"
        ''}

        ${optionalString (dmzHost != null) ''
@ -116,10 +100,7 @@ let
        type nat hook output priority mangle;

        ${optionalString (fwdLoopDnatMap != "") ''
-          dnat ${ipVer} daddr . meta l4proto . th dport map { ${fwdLoopDnatMap} } comment "port forward loopback from the host itself"
-        ''}
-        ${optionalString (fwdLoopDnatRangeMap != "") ''
-          dnat ${ipVer} daddr . meta l4proto . th dport map { ${fwdLoopDnatRangeMap} } comment "port forward loopback from the host itself"
+          meta l4proto { tcp, udp } dnat ${ipVer} daddr . meta l4proto . th dport map { ${fwdLoopDnatMap} } comment "port forward loopback from the host itself"
        ''}
      }
    '';