modules/nftnat: init nftables nat module

keep-around/95da394e016383ba8d791d839049c60e328418b4
hexchen 2021-01-15 22:46:45 +00:00
parent c0efd41e74
commit 61db3bc33f
3 changed files with 64 additions and 1 deletions

View File

@ -51,7 +51,7 @@
interface = "enp6s0";
};
networking.nat.enable = true;
hacc.nftables.nat.enable = true;
networking.nat.internalInterfaces = ["ve-+"];
networking.nat.externalInterface = "enp6s0";

View File

@ -4,5 +4,6 @@ let
in {
imports = [
"${sources.immae-nix}/modules/webapps/peertube.nix"
./nftnat
];
}

View File

@ -0,0 +1,62 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.hacc.nftables.nat;
nats = config.networking.nat;
in {
options.hacc.nftables.nat = {
enable = mkEnableOption "Wrap NAT into nftables.";
forwardPorts = mkOption {
type = with types; listOf (submodule {
options = {
ports = mkOption {
type = types.listOf (types.either types.int (types.strMatching "[[:digit:]]+-[[:digit:]]+"));
};
destination = mkOption {
type = types.str;
example = "10.0.0.1";
};
proto = mkOption {
type = types.str;
default = "tcp";
example = "udp";
};
};
});
default = [];
example = [{ ports = [ 8080 "9100-9200" ]; destination = "192.168.100.2"; proto = "udp"; }];
};
};
config = mkIf cfg.enable {
networking.nat.enable = mkOverride 99 false;
boot = {
kernelModules = [ "nf_nat_ftp" ];
kernel.sysctl = {
"net.ipv4.conf.all.forwarding" = mkOverride 98 true;
"net.ipv4.conf.default.forwarding" = mkOverride 98 true;
};
};
petabyte.nftables = {
enable = true;
extraConfig = ''
table ip nat {
chain prerouting {
type nat hook prerouting priority -100
${concatMapStringsSep "\n" (rule: "iif ${nats.externalInterface} ${rule.proto} dport { ${concatStringsSep ", " (map (x: toString x) rule.ports)} } dnat ${rule.destination}") cfg.forwardPorts}
}
chain postrouting {
type nat hook postrouting priority 100
${concatMapStringsSep "\n" (iface: "iifname ${replaceStrings ["+"] ["*"] iface} oifname ${nats.externalInterface} masquerade") nats.internalInterfaces}
${concatMapStringsSep "\n" (addr: "ip saddr ${addr} oifname ${nats.externalInterface} masquerade") nats.internalIPs}
}
}
'';
};
};
}