Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

nixos/nat: create nixos-nat-{pre,post,out} in ip6tables too #68459

Merged
merged 1 commit into from Dec 12, 2019

Conversation

@volth
Copy link
Contributor

@volth volth commented Sep 10, 2019

The motivations are:

  1. to add nixos-nat-out along with nixos-nat-pre and nixos-nat-post to support scenarios when output packets are NAT'ed to another destination.
    Examples are:

    • a webmaster may want to to redirect "website.com:80" and "website.com:443" to unprivileged ports on 127.0.0.1 where a webserver is running.
    • TOR and I2P websites can be mapped to private address space.

    Those techniques require adding NAT rules to OUTPUT chain along with PREROUTING and POSTROUTING so it would be nice if all NAT rules will be set and cleaned at once.

  2. adding nixos-nat-out, nixos-nat-pre and nixos-nat-post to ip6tables would simplify setting up NAT66 (i know it is an anti-pattern, but sometimes inevitable). Although nixos/nat module does not use ip6tables and probably should not support NAT66 at all, ip6tables can be used in extraCommands and IPv6 NAT rules will be automatically cleaned together with IPv4 NAT rules.

@andir
Copy link
Member

@andir andir commented Sep 11, 2019

@GrahamcOfBorg test nat

@lheckemann lheckemann added this to the 20.03 milestone Sep 12, 2019
Copy link
Member

@mmilata mmilata left a comment

👍 having nat66 rules flushed automatically makes my config shorter

@andir andir merged commit e8bb94f into NixOS:master Dec 12, 2019
14 checks passed
14 checks passed
Evaluation Performance Report Evaluator Performance Report
Details
grahamcofborg-eval ^.^!
Details
grahamcofborg-eval-check-meta config.nix: checkMeta = true
Details
grahamcofborg-eval-darwin nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./pkgs/top-level/release.nix -A darwin-tested
Details
grahamcofborg-eval-nixos nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./nixos/release-combined.nix -A tested
Details
grahamcofborg-eval-nixos-manual nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./nixos/release.nix -A manual
Details
grahamcofborg-eval-nixos-options nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./nixos/release.nix -A options
Details
grahamcofborg-eval-nixpkgs-manual nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./pkgs/top-level/release.nix -A manual
Details
grahamcofborg-eval-nixpkgs-tarball nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./pkgs/top-level/release.nix -A tarball
Details
grahamcofborg-eval-nixpkgs-unstable-jobset nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./pkgs/top-level/release.nix -A unstable
Details
grahamcofborg-eval-package-list nix-env -qa --json --file .
Details
grahamcofborg-eval-package-list-no-aliases nix-env -qa --json --file . --arg config { allowAliases = false; }
Details
tests.nat on aarch64-linux Success
Details
tests.nat on x86_64-linux Success
Details
volth added a commit to volth/nixpkgs-windows that referenced this pull request Aug 5, 2020
volth added a commit to volth/nixpkgs-windows that referenced this pull request Aug 5, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

4 participants
You can’t perform that action at this time.