sora/nixconfig
1
0
Fork 1
Code Issues 2 Pull Requests Actions Releases Activity

Fix nftable

Browse Source
This commit is contained in:
soraefir
2026-05-08 01:15:27 +02:00
parent bc8a9d42f9
commit 40dba4b959
1 changed files with 11 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
modules/server/nftables/default.nix
View File

@@ -1,5 +1,7 @@
{ config, lib, ... }:{ { config, lib, ... }:
config = lib.mkIf (true) { let
cfg = config.syscfg.server;
in{
boot.kernel.sysctl = { boot.kernel.sysctl = {
"net.ipv4.ip_forward" = 1; "net.ipv4.ip_forward" = 1;
"net.ipv6.conf.all.forwarding" = 1; "net.ipv6.conf.all.forwarding" = 1;
@@ -12,12 +14,15 @@
type filter hook input priority filter; policy drop; type filter hook input priority filter; policy drop;
ct state established,related accept ct state established,related accept
iifname "lo" accept iifname "lo" accept
tcp dport {5432, 6379} ip saddr { 10.0.0.0/8, 169.254.0.0/16 } accept tcp dport {22} accept
tcp dport {80, 443, 22} accept ${if cfg.database then ''tcp dport {5432, 6379} ip saddr { 10.0.0.0/8, 169.254.0.0/16 } accept'' else ""}
udp dport {80, 443, 22} accept ${if cfg.web then ''tcp dport {80, 443} accept
udp dport {80, 443} accept'' else ""}
} }
} }
${if cfg.nftables.enable then ''
table inet nat { table inet nat {
chain prerouting { chain prerouting {
type nat hook prerouting priority dstnat; policy accept; type nat hook prerouting priority dstnat; policy accept;
@@ -43,7 +48,6 @@
type nat hook postrouting priority srcnat; policy accept; type nat hook postrouting priority srcnat; policy accept;
oifname { ${lib.concatMapStringsSep ", " (iface: ''"${iface}"'') config.syscfg.server.nftables.ifs} } masquerade oifname { ${lib.concatMapStringsSep ", " (iface: ''"${iface}"'') config.syscfg.server.nftables.ifs} } masquerade
} }
} }'' else ""}
''; '';
};
} }