diff options
| author | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2013-10-10 13:28:20 +0200 |
|---|---|---|
| committer | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2013-10-10 13:28:20 +0200 |
| commit | 5c1f8cbc70cd5e6867ef6a2a06d27a40daa07010 (patch) | |
| tree | a6c0f605be6de3f372ae69905b331f9f75452da7 /nixos/modules/services/networking/nat.nix | |
| parent | 6070bc016bd2fd945b04347e25cfd3738622d2ac (diff) | |
| download | nixpkgs-5c1f8cbc70cd5e6867ef6a2a06d27a40daa07010.tar nixpkgs-5c1f8cbc70cd5e6867ef6a2a06d27a40daa07010.tar.gz nixpkgs-5c1f8cbc70cd5e6867ef6a2a06d27a40daa07010.tar.bz2 nixpkgs-5c1f8cbc70cd5e6867ef6a2a06d27a40daa07010.tar.lz nixpkgs-5c1f8cbc70cd5e6867ef6a2a06d27a40daa07010.tar.xz nixpkgs-5c1f8cbc70cd5e6867ef6a2a06d27a40daa07010.tar.zst nixpkgs-5c1f8cbc70cd5e6867ef6a2a06d27a40daa07010.zip | |
Move all of NixOS to nixos/ in preparation of the repository merge
Diffstat (limited to 'nixos/modules/services/networking/nat.nix')
| -rw-r--r-- | nixos/modules/services/networking/nat.nix | 104 |
1 files changed, 104 insertions, 0 deletions
diff --git a/nixos/modules/services/networking/nat.nix b/nixos/modules/services/networking/nat.nix new file mode 100644 index 00000000000..9d62a764f06 --- /dev/null +++ b/nixos/modules/services/networking/nat.nix @@ -0,0 +1,104 @@ +# This module enables Network Address Translation (NAT). +# XXX: todo: support multiple upstream links +# see http://yesican.chsoft.biz/lartc/MultihomedLinuxNetworking.html + +{ config, pkgs, ... }: + +with pkgs.lib; + +let + + cfg = config.networking.nat; + +in + +{ + + ###### interface + + options = { + + networking.nat.enable = mkOption { + default = false; + description = + '' + Whether to enable Network Address Translation (NAT). + ''; + }; + + networking.nat.internalIPs = mkOption { + example = [ "192.168.1.0/24" ] ; + description = + '' + The IP address ranges for which to perform NAT. Packets + coming from these networks and destined for the external + interface will be rewritten. + ''; + # Backward compatibility: this used to be a single range instead + # of a list. + apply = x: if isList x then x else [x]; + }; + + networking.nat.externalInterface = mkOption { + example = "eth1"; + description = + '' + The name of the external network interface. + ''; + }; + + networking.nat.externalIP = mkOption { + default = ""; + example = "203.0.113.123"; + description = + '' + The public IP address to which packets from the local + network are to be rewritten. If this is left empty, the + IP address associated with the external interface will be + used. + ''; + }; + + }; + + + ###### implementation + + config = mkIf config.networking.nat.enable { + + environment.systemPackages = [ pkgs.iptables ]; + + boot.kernelModules = [ "nf_nat_ftp" ]; + + jobs.nat = + { description = "Network Address Translation"; + + startOn = "started network-interfaces"; + + path = [ pkgs.iptables ]; + + preStart = + '' + iptables -t nat -F POSTROUTING + iptables -t nat -X + '' + + (concatMapStrings (network: + '' + iptables -t nat -A POSTROUTING \ + -s ${network} -o ${cfg.externalInterface} \ + ${if cfg.externalIP == "" + then "-j MASQUERADE" + else "-j SNAT --to-source ${cfg.externalIP}"} + '' + ) cfg.internalIPs) + + '' + echo 1 > /proc/sys/net/ipv4/ip_forward + ''; + + postStop = + '' + iptables -t nat -F POSTROUTING + ''; + }; + }; +} |