Commit Graph

38 Commits

Author SHA1 Message Date
Rvfg
a43c7b2a70
nixos/{firewall, nat}: add a nftables based implementation 2022-12-23 00:49:24 +08:00
Bernardo Meurer
0627237785
Merge pull request #181334 from zhaofengli/nat-iptables-pkg
nixos/nat: Use the package specified in networking.firewall.package
2022-09-06 14:05:20 -03:00
Zhaofeng Li
7689468a4b nixos/nat: Use the package specified in networking.firewall.package
Otherwise the system path is inconsistent if you do something like

    networking.firewall.package = pkgs.iptables-legacy;
2022-08-31 13:14:07 -06:00
pennae
2e751c0772 treewide: automatically md-convert option descriptions
the conversion procedure is simple:

 - find all things that look like options, ie calls to either `mkOption`
   or `lib.mkOption` that take an attrset. remember the attrset as the
   option
 - for all options, find a `description` attribute who's value is not a
   call to `mdDoc` or `lib.mdDoc`
 - textually convert the entire value of the attribute to MD with a few
   simple regexes (the set from mdize-module.sh)
 - if the change produced a change in the manual output, discard
 - if the change kept the manual unchanged, add some text to the
   description to make sure we've actually found an option. if the
   manual changes this time, keep the converted description

this procedure converts 80% of nixos options to markdown. around 2000
options remain to be inspected, but most of those fail the "does not
change the manual output check": currently the MD conversion process
does not faithfully convert docbook tags like <code> and <package>, so
any option using such tags will not be converted at all.
2022-07-30 15:16:34 +02:00
Naïm Favier
2ddc335e6f
nixos/doc: clean up defaults and examples 2021-10-04 12:47:20 +02:00
Valérian Galliat
b93a5a1746
nixos/nat: support IPv6 NAT 2020-12-01 00:51:58 +01:00
Thomas Dy
97a61c8903 nixos/nat: fix multiple destination ports with loopback 2020-03-04 18:11:31 +09:00
volth
6abba2294d nixos/nat: use nixos-nat-out instead of OUTPUT 2020-01-12 00:06:49 +01:00
Bernardo Meurer
5ee439eb08
nixos: fix ip46tables invocation in nat 2019-12-14 20:13:12 -08:00
Andreas Rammhold
e8bb94fca9
Merge pull request #68459 from volth/patch-364
nixos/nat: create nixos-nat-{pre,post,out} in ip6tables too
2019-12-12 15:55:51 +01:00
Max Veytsman
de1cbcc692 nixos/nat: fix typo in comment
This iptables directive is marking packets coming from the internal interfaces so they can later be NATed by the rule in 22378e6996/nixos/modules/services/networking/nat.nix (L38-L42) .

Fix the comment accordingly.
2019-11-04 17:00:22 +01:00
volth
3e792fb6df
nixos/nat: create nixos-nat-{pre,post,out} in ip6tables too 2019-09-10 21:58:19 +00:00
volth
d79a5057d3 nixos/nat: optional networking.nat.externalInterface (#41864)
to prevent "cannot coerce null to string" raise before the assertions are checked
2018-06-12 15:14:15 +02:00
volth
d4daddad75 nixos/nat: optional networking.nat.externalInterface (#41758) 2018-06-10 18:29:32 +02:00
volth
328f8a6cba nixos/nat: support nat reflection 2018-02-19 13:16:09 +00:00
Ryan Trinkle
ab2b3a5d0a nat: add extraCommands and extraStopCommands options 2017-12-06 11:17:38 -05:00
zimbatm
3807408c38
Merge pull request #32212 from ryantrinkle/nat-port-forwarding-ranges
Nat port forwarding ranges
2017-12-04 12:05:05 +00:00
Ryan Trinkle
4f8a65a163 nixos/nat: add dmzHost option (#32257) 2017-12-04 09:21:58 +00:00
Ryan Trinkle
a8f1ebf52c nat: support port ranges in networking.nat.forwardPorts 2017-12-02 13:28:01 -05:00
Phil
4f277bd920 nixos/networking/nat: add option for protocol
This commit adds an option to allow udp port forwarding (see #24894).
2017-08-04 17:03:05 +02:00
Markus Mueller
53d2f0980d
nat: always flush nixos nat rules on firewall start/reload
Fixes #27510
2017-08-03 21:16:14 +02:00
Joachim F
0906a0f197 Merge pull request #18491 from groxxda/network-interfaces
Replace Network-interfaces.target
2016-10-02 16:34:37 +02:00
Alexander Ried
8524df1259 networking.nat: replace network-interfaces.target
We can replace this safely with network-pre because iptables does not
care whether the interfaces exist or not.
2016-09-13 11:19:22 +02:00
Eric Sagnes
c3bdee3c39 nat module: optionSet -> submodule 2016-09-13 12:53:10 +09:00
Domen Kožar
25e3c091a0 Revert "nixos/nat: Allow nat without an externalInterface"
This reverts commit 431a98b12b.

Breaks nixos tests: http://hydra.nixos.org/build/35538207
2016-05-12 11:04:06 +01:00
Franz Pletz
431a98b12b nixos/nat: Allow nat without an externalInterface 2016-05-12 01:52:13 +02:00
William A. Kennington III
ba53392bce nixos/nat: Fix override so that sysctls are properly preserved 2014-10-31 16:50:25 -07:00
William A. Kennington III
ae195727b7 nixos/nat: Don't flush tables, create subchains for autogenerated rules 2014-09-18 11:28:58 -07:00
William A. Kennington III
1321fd175d nixos/nat: Leverage firewall module 2014-09-15 21:31:27 -07:00
Luca Bruno
2ba523df24 nixos nat: add description to forwardPorts 2014-09-04 11:33:08 +02:00
Luca Bruno
e6ab680cbf nixos nat: add type for sourcePort and destination of forwardPorts 2014-09-04 10:26:33 +02:00
Luca Bruno
b21ac60290 nixos/nat: add forwardPorts for external->internal DNAT 2014-09-01 22:31:56 +02:00
Eelco Dolstra
29027fd1e1 Rewrite ‘with pkgs.lib’ -> ‘with lib’
Using pkgs.lib on the spine of module evaluation is problematic
because the pkgs argument depends on the result of module
evaluation. To prevent an infinite recursion, pkgs and some of the
modules are evaluated twice, which is inefficient. Using ‘with lib’
prevents this problem.
2014-04-14 16:26:48 +02:00
Eelco Dolstra
017408e048 Use iptables' ‘-w’ flag
This prevents errors like "Another app is currently holding the
xtables lock" if the firewall and NAT services are starting in
parallel.  (Longer term, we should probably move to a single service
for managing the iptables rules.)
2014-04-11 17:16:44 +02:00
Eelco Dolstra
b9281e6a2d Fix NAT module 2014-04-11 17:16:44 +02:00
Eelco Dolstra
a34bfbab4c Add option networking.nat.internalInterfaces
This allows applying NAT to an interface, rather than an IP range.
2014-04-10 15:07:29 +02:00
Eelco Dolstra
408b8b5725 Add lots of missing option types 2013-10-30 18:47:43 +01:00
Eelco Dolstra
5c1f8cbc70 Move all of NixOS to nixos/ in preparation of the repository merge 2013-10-10 13:28:20 +02:00