diff options
| author | Markus Mueller <john.subscriber@markus.institute> | 2017-08-03 17:41:07 +0000 |
|---|---|---|
| committer | Robin Gloster <mail@glob.in> | 2017-08-03 21:16:14 +0200 |
| commit | 53d2f0980d7b66fefbaeb405bd11789fb816f137 (patch) | |
| tree | 3ae1b0a346f226919930bea82e12d00ce466c700 /nixos/modules/services/networking/nat.nix | |
| parent | d604336b5b8a2434e2289d1d59c8b1c6ee186e3f (diff) | |
| download | nixpkgs-53d2f0980d7b66fefbaeb405bd11789fb816f137.tar nixpkgs-53d2f0980d7b66fefbaeb405bd11789fb816f137.tar.gz nixpkgs-53d2f0980d7b66fefbaeb405bd11789fb816f137.tar.bz2 nixpkgs-53d2f0980d7b66fefbaeb405bd11789fb816f137.tar.lz nixpkgs-53d2f0980d7b66fefbaeb405bd11789fb816f137.tar.xz nixpkgs-53d2f0980d7b66fefbaeb405bd11789fb816f137.tar.zst nixpkgs-53d2f0980d7b66fefbaeb405bd11789fb816f137.zip | |
nat: always flush nixos nat rules on firewall start/reload
Fixes #27510
Diffstat (limited to 'nixos/modules/services/networking/nat.nix')
| -rw-r--r-- | nixos/modules/services/networking/nat.nix | 55 |
1 files changed, 29 insertions, 26 deletions
diff --git a/nixos/modules/services/networking/nat.nix b/nixos/modules/services/networking/nat.nix index 08ba2fdb164..41e0a8c8474 100644 --- a/nixos/modules/services/networking/nat.nix +++ b/nixos/modules/services/networking/nat.nix @@ -151,38 +151,41 @@ in ###### implementation - config = mkIf config.networking.nat.enable { + config = mkMerge [ + { networking.firewall.extraCommands = mkBefore flushNat; } + (mkIf config.networking.nat.enable { - environment.systemPackages = [ pkgs.iptables ]; + environment.systemPackages = [ pkgs.iptables ]; - boot = { - kernelModules = [ "nf_nat_ftp" ]; - kernel.sysctl = { - "net.ipv4.conf.all.forwarding" = mkOverride 99 true; - "net.ipv4.conf.default.forwarding" = mkOverride 99 true; + boot = { + kernelModules = [ "nf_nat_ftp" ]; + kernel.sysctl = { + "net.ipv4.conf.all.forwarding" = mkOverride 99 true; + "net.ipv4.conf.default.forwarding" = mkOverride 99 true; + }; }; - }; - networking.firewall = mkIf config.networking.firewall.enable { - extraCommands = mkMerge [ (mkBefore flushNat) setupNat ]; - extraStopCommands = flushNat; - }; + networking.firewall = mkIf config.networking.firewall.enable { + extraCommands = setupNat; + extraStopCommands = flushNat; + }; - systemd.services = mkIf (!config.networking.firewall.enable) { nat = { - description = "Network Address Translation"; - wantedBy = [ "network.target" ]; - after = [ "network-pre.target" "systemd-modules-load.service" ]; - path = [ pkgs.iptables ]; - unitConfig.ConditionCapability = "CAP_NET_ADMIN"; + systemd.services = mkIf (!config.networking.firewall.enable) { nat = { + description = "Network Address Translation"; + wantedBy = [ "network.target" ]; + after = [ "network-pre.target" "systemd-modules-load.service" ]; + path = [ pkgs.iptables ]; + unitConfig.ConditionCapability = "CAP_NET_ADMIN"; - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - }; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + }; - script = flushNat + setupNat; + script = flushNat + setupNat; - postStop = flushNat; - }; }; - }; + postStop = flushNat; + }; }; + }) + ]; } |