nixfiles/nixos/modules/firewall.nix

{ lib, options, config, ... }:
let
  inherit (builtins) typeOf attrNames;
  inherit (lib)
    optionalString concatStringsSep concatMapStringsSep mapAttrsToList optionalAttrs mkIf
    mkDefault mkMerge mkOverride;
  inherit (lib.my) isIPv6 mkOpt' mkBoolOpt';

  allowICMP = ''
    icmp type {
      destination-unreachable,
      router-solicitation,
      router-advertisement,
      time-exceeded,
      parameter-problem,
      echo-request
    } accept
  '';
  allowICMP6 = ''
    icmpv6 type {
      destination-unreachable,
      packet-too-big,
      time-exceeded,
      parameter-problem,
      mld-listener-query,
      mld-listener-report,
      mld-listener-reduction,
      nd-router-solicit,
      nd-router-advert,
      nd-neighbor-solicit,
      nd-neighbor-advert,
      ind-neighbor-solicit,
      ind-neighbor-advert,
      mld2-listener-report,
      echo-request
    } accept
  '';
  allowUDPTraceroute = ''
    udp dport 33434-33625 accept
  '';

  forwardOpts = with lib.types; { config, ... }: {
    options = {
      proto = mkOpt' (enum [ "tcp" "udp" ]) "tcp" "Protocol.";
      port = mkOpt' (either port str) null "Incoming port.";
      dst = mkOpt' str null "Destination IP.";
      dstPort = mkOpt' (either port str) config.port "Destination port.";
    };
  };

  cfg = config.my.firewall;
  iptCfg = config.networking.firewall;
in
{
  options.my.firewall = with lib.types; {
    enable = mkBoolOpt' true "Whether to enable the nftables-based firewall.";
    trustedInterfaces = options.networking.firewall.trustedInterfaces;
    tcp = {
      allowed = mkOpt' (listOf (either port str)) [ ] "TCP ports to open.";
    };
    udp = {
      allowed = mkOpt' (listOf (either port str)) [ ] "UDP ports to open.";
      allowTraceroute = mkBoolOpt' true "Whethor or not to add a rule to accept UDP traceroute packets.";
    };
    extraRules = mkOpt' lines "" "Arbitrary additional nftables rules.";

    nat = with options.networking.nat; {
      enable = mkBoolOpt' true "Whether to enable IP forwarding and NAT.";
      inherit externalInterface;
      forwardPorts = mkOpt' (either (listOf (submodule forwardOpts)) (attrsOf (listOf (submodule forwardOpts)))) [ ] "IPv4 port forwards";
    };
  };

  config = mkIf cfg.enable (mkMerge [
    {
      networking = {
        firewall.enable = false;
        nftables = {
          enable = true;
          ruleset =
            let
              trusted' = "{ ${concatStringsSep ", " (cfg.trustedInterfaces ++ iptCfg.trustedInterfaces)} }";
              openTCP = cfg.tcp.allowed ++ iptCfg.allowedTCPPorts;
              openUDP = cfg.udp.allowed ++ iptCfg.allowedUDPPorts;
            in
            ''
              table inet filter {
                chain wan-tcp {
                  ${concatMapStringsSep "\n    " (p: "tcp dport ${toString p} accept") openTCP}
                  return
                }
                chain wan-udp {
                  ${concatMapStringsSep "\n    " (p: "udp dport ${toString p} accept") openUDP}
                  return
                }

                chain wan {
                  ${allowICMP}
                  ip protocol igmp accept
                  ${allowICMP6}
                  ${allowUDPTraceroute}

                  tcp flags & (fin|syn|rst|ack) == syn ct state new jump wan-tcp
                  meta l4proto udp ct state new jump wan-udp

                  return
                }

                chain input {
                  type filter hook input priority 0; policy drop;

                  ct state established,related accept
                  ct state invalid drop

                  iif lo accept
                  ${optionalString (cfg.trustedInterfaces != []) "iifname ${trusted'} accept\n"}
                  jump wan
                }
                chain forward {
                  type filter hook forward priority 0; policy drop;
                  ${optionalString (cfg.trustedInterfaces != []) "\n    iifname ${trusted'} accept\n"}
                  ct state related,established accept

                  ${allowICMP}
                  ${allowICMP6}
                  ${allowUDPTraceroute}
                }
                chain output {
                  type filter hook output priority 0; policy accept;
                }
              }

              table inet nat {
                chain prerouting {
                  type nat hook prerouting priority dstnat;
                }
                chain output {
                  type nat hook output priority dstnat;
                }
                chain postrouting {
                  type nat hook postrouting priority srcnat;
                }
                chain input {
                  type nat hook input priority srcnat;
                }
              }

              ${cfg.extraRules}
            '';
        };
      };
    }
    (mkIf cfg.nat.enable (
    let
      iifForward = typeOf cfg.nat.forwardPorts == "list" && cfg.nat.forwardPorts != [ ];
      dipForward = typeOf cfg.nat.forwardPorts == "set" && cfg.nat.forwardPorts != { };
    in
    {
      assertions = [
        {
          assertion = with cfg.nat; iifForward -> (externalInterface != null);
          message = "my.firewall.nat.forwardPorts as list requires my.firewall.nat.externalInterface";
        }
      ];

      # Yoinked from nixpkgs/nixos/modules/services/networking/nat.nix
      boot = {
        kernel.sysctl = {
          "net.ipv4.conf.all.forwarding" = mkOverride 99 true;
          "net.ipv4.conf.default.forwarding" = mkOverride 99 true;
        } // optionalAttrs config.networking.enableIPv6 {
          # Do not prevent IPv6 autoconfiguration.
          # See <http://strugglers.net/~andy/blog/2011/09/04/linux-ipv6-router-advertisements-and-forwarding/>.
          "net.ipv6.conf.all.accept_ra" = mkOverride 99 2;
          "net.ipv6.conf.default.accept_ra" = mkOverride 99 2;

          # Forward IPv6 packets.
          "net.ipv6.conf.all.forwarding" = mkOverride 99 true;
          "net.ipv6.conf.default.forwarding" = mkOverride 99 true;
        };
      };

      my.firewall.extraRules =
        let
          inherit (lib.my.nft) natFilterChain dnatChain;
          ipK = ip: "ip${optionalString (isIPv6 ip) "6"}";

          makeFilter = f:
            "${ipK f.dst} daddr ${f.dst} ${f.proto} dport ${toString f.dstPort} accept";
          makeForward = f:
            "${f.proto} dport ${toString f.port} dnat ${ipK f.dst} to ${f.dst}:${toString f.dstPort}";

          dnatJumps = ''
            ${optionalString
              iifForward
              "iifname ${cfg.nat.externalInterface} jump iif-port-forward"}
            ${optionalString
              dipForward
              (concatMapStringsSep "\n    " (ip: "${ipK ip} daddr ${ip} jump ${dnatChain ip}") (attrNames cfg.nat.forwardPorts))}
          '';
        in
        ''
          table inet filter {
            ${optionalString iifForward ''
              chain filter-iif-port-forwards {
                ${concatMapStringsSep "\n    " makeFilter cfg.nat.forwardPorts}
                return
              }
            ''}
            ${optionalString
              dipForward
              (concatStringsSep "\n" (mapAttrsToList (ip: fs: ''
                chain ${natFilterChain ip} {
                  ${concatMapStringsSep "\n    " makeFilter fs}
                  return
                }
              '') cfg.nat.forwardPorts))}

            chain forward {
              ${optionalString
                iifForward
                "iifname ${cfg.nat.externalInterface} jump filter-iif-port-forwards"}
              ${optionalString
                dipForward
                (concatMapStringsSep "\n    " (ip: "jump ${natFilterChain ip}") (attrNames cfg.nat.forwardPorts))}
            }
          }

          table inet nat {
            ${optionalString iifForward ''
              chain iif-port-forward {
                ${concatMapStringsSep "\n    " makeForward cfg.nat.forwardPorts}
                return
              }
            ''}
            ${optionalString
              dipForward
              (concatStringsSep "\n" (mapAttrsToList (ip: fs: ''
                chain ${dnatChain ip} {
                  ${concatMapStringsSep "\n    " makeForward fs}
                  return
                }
              '') cfg.nat.forwardPorts))}

            chain prerouting {
              ${dnatJumps}
            }
            chain output {
              ${dnatJumps}
            }
          }
        '';
    }))
  ]);

  meta.buildDocsInSandbox = false;
}
Add firewall module Also: tmproot tweaks 2022-02-12 01:53:57 +00:00			`{ lib, options, config, ... }:`
Apply nixpkgs-fmt 2022-02-13 13:10:21 +00:00			`let`
nixos/colony: Replicate port forwards for internal routing 2023-12-11 15:05:42 +00:00			`inherit (builtins) typeOf attrNames;`
nixos/firewall: Add ability to forward per external IP 2023-12-11 14:59:40 +00:00			`inherit (lib)`
			`optionalString concatStringsSep concatMapStringsSep mapAttrsToList optionalAttrs mkIf`
			`mkDefault mkMerge mkOverride;`
nixos: Implement estuary -> kelder tunnel 2023-05-14 01:12:42 +01:00			`inherit (lib.my) isIPv6 mkOpt' mkBoolOpt';`
Add firewall module Also: tmproot tweaks 2022-02-12 01:53:57 +00:00
nixos: Test setup with public networking 2022-05-28 22:59:50 +01:00			`allowICMP = ''`
			`icmp type {`
			`destination-unreachable,`
			`router-solicitation,`
			`router-advertisement,`
			`time-exceeded,`
			`parameter-problem,`
			`echo-request`
			`} accept`
			`'';`
			`allowICMP6 = ''`
			`icmpv6 type {`
			`destination-unreachable,`
			`packet-too-big,`
			`time-exceeded,`
			`parameter-problem,`
			`mld-listener-query,`
			`mld-listener-report,`
			`mld-listener-reduction,`
			`nd-router-solicit,`
			`nd-router-advert,`
			`nd-neighbor-solicit,`
			`nd-neighbor-advert,`
			`ind-neighbor-solicit,`
			`ind-neighbor-advert,`
			`mld2-listener-report,`
			`echo-request`
			`} accept`
			`'';`
			`allowUDPTraceroute = ''`
			`udp dport 33434-33625 accept`
			`'';`

nixos: Implement estuary -> kelder tunnel 2023-05-14 01:12:42 +01:00			`forwardOpts = with lib.types; { config, ... }: {`
nixos/firewall: Fixes for NAT and IPv6 2022-05-28 21:50:26 +01:00			`options = {`
			`proto = mkOpt' (enum [ "tcp" "udp" ]) "tcp" "Protocol.";`
nixos: Test setup with public networking 2022-05-28 22:59:50 +01:00			`port = mkOpt' (either port str) null "Incoming port.";`
nixos: Implement estuary -> kelder tunnel 2023-05-14 01:12:42 +01:00			`dst = mkOpt' str null "Destination IP.";`
			`dstPort = mkOpt' (either port str) config.port "Destination port.";`
nixos/firewall: Fixes for NAT and IPv6 2022-05-28 21:50:26 +01:00			`};`
			`};`

Apply nixpkgs-fmt 2022-02-13 13:10:21 +00:00			`cfg = config.my.firewall;`
Implement initial containers module 2022-03-26 14:20:30 +00:00			`iptCfg = config.networking.firewall;`
Apply nixpkgs-fmt 2022-02-13 13:10:21 +00:00			`in`
			`{`
			`options.my.firewall = with lib.types; {`
Add custom module documentation 2022-02-13 17:44:14 +00:00			`enable = mkBoolOpt' true "Whether to enable the nftables-based firewall.";`
Apply nixpkgs-fmt 2022-02-13 13:10:21 +00:00			`trustedInterfaces = options.networking.firewall.trustedInterfaces;`
			`tcp = {`
nixos/modules/firewall: Inherit `networking.firewall.allowed*Ports` 2022-02-17 17:08:25 +00:00			`allowed = mkOpt' (listOf (either port str)) [ ] "TCP ports to open.";`
Apply nixpkgs-fmt 2022-02-13 13:10:21 +00:00			`};`
			`udp = {`
Add custom module documentation 2022-02-13 17:44:14 +00:00			`allowed = mkOpt' (listOf (either port str)) [ ] "UDP ports to open.";`
nixos: Test setup with public networking 2022-05-28 22:59:50 +01:00			`allowTraceroute = mkBoolOpt' true "Whethor or not to add a rule to accept UDP traceroute packets.";`
Apply nixpkgs-fmt 2022-02-13 13:10:21 +00:00			`};`
Add custom module documentation 2022-02-13 17:44:14 +00:00			`extraRules = mkOpt' lines "" "Arbitrary additional nftables rules.";`
Add firewall module Also: tmproot tweaks 2022-02-12 01:53:57 +00:00
Apply nixpkgs-fmt 2022-02-13 13:10:21 +00:00			`nat = with options.networking.nat; {`
Add custom module documentation 2022-02-13 17:44:14 +00:00			`enable = mkBoolOpt' true "Whether to enable IP forwarding and NAT.";`
nixos/firewall: Add ability to forward per external IP 2023-12-11 14:59:40 +00:00			`inherit externalInterface;`
			`forwardPorts = mkOpt' (either (listOf (submodule forwardOpts)) (attrsOf (listOf (submodule forwardOpts)))) [ ] "IPv4 port forwards";`
Add firewall module Also: tmproot tweaks 2022-02-12 01:53:57 +00:00			`};`
Apply nixpkgs-fmt 2022-02-13 13:10:21 +00:00			`};`
Add firewall module Also: tmproot tweaks 2022-02-12 01:53:57 +00:00
Apply nixpkgs-fmt 2022-02-13 13:10:21 +00:00			`config = mkIf cfg.enable (mkMerge [`
			`{`
			`networking = {`
			`firewall.enable = false;`
			`nftables = {`
			`enable = true;`
			`ruleset =`
			`let`
Implement initial containers module 2022-03-26 14:20:30 +00:00			`trusted' = "{ ${concatStringsSep ", " (cfg.trustedInterfaces ++ iptCfg.trustedInterfaces)} }";`
			`openTCP = cfg.tcp.allowed ++ iptCfg.allowedTCPPorts;`
			`openUDP = cfg.udp.allowed ++ iptCfg.allowedUDPPorts;`
Apply nixpkgs-fmt 2022-02-13 13:10:21 +00:00			`in`
			`''`
			`table inet filter {`
			`chain wan-tcp {`
nixos/modules/firewall: Inherit `networking.firewall.allowed*Ports` 2022-02-17 17:08:25 +00:00			`${concatMapStringsSep "\n " (p: "tcp dport ${toString p} accept") openTCP}`
Add initial nginx container 2022-05-31 21:25:51 +01:00			`return`
Apply nixpkgs-fmt 2022-02-13 13:10:21 +00:00			`}`
			`chain wan-udp {`
nixos/modules/firewall: Inherit `networking.firewall.allowed*Ports` 2022-02-17 17:08:25 +00:00			`${concatMapStringsSep "\n " (p: "udp dport ${toString p} accept") openUDP}`
Add initial nginx container 2022-05-31 21:25:51 +01:00			`return`
Apply nixpkgs-fmt 2022-02-13 13:10:21 +00:00			`}`
Add firewall module Also: tmproot tweaks 2022-02-12 01:53:57 +00:00
Apply nixpkgs-fmt 2022-02-13 13:10:21 +00:00			`chain wan {`
nixos: Test setup with public networking 2022-05-28 22:59:50 +01:00			`${allowICMP}`
nixos/firewall: Fixes for NAT and IPv6 2022-05-28 21:50:26 +01:00			`ip protocol igmp accept`
nixos: Test setup with public networking 2022-05-28 22:59:50 +01:00			`${allowICMP6}`
			`${allowUDPTraceroute}`

			`tcp flags & (fin\|syn\|rst\|ack) == syn ct state new jump wan-tcp`
			`meta l4proto udp ct state new jump wan-udp`

			`return`
Apply nixpkgs-fmt 2022-02-13 13:10:21 +00:00			`}`
Add firewall module Also: tmproot tweaks 2022-02-12 01:53:57 +00:00
Apply nixpkgs-fmt 2022-02-13 13:10:21 +00:00			`chain input {`
			`type filter hook input priority 0; policy drop;`
Add firewall module Also: tmproot tweaks 2022-02-12 01:53:57 +00:00
Apply nixpkgs-fmt 2022-02-13 13:10:21 +00:00			`ct state established,related accept`
			`ct state invalid drop`
Add firewall module Also: tmproot tweaks 2022-02-12 01:53:57 +00:00
Apply nixpkgs-fmt 2022-02-13 13:10:21 +00:00			`iif lo accept`
			`${optionalString (cfg.trustedInterfaces != []) "iifname ${trusted'} accept\n"}`
			`jump wan`
Add firewall module Also: tmproot tweaks 2022-02-12 01:53:57 +00:00			`}`
Apply nixpkgs-fmt 2022-02-13 13:10:21 +00:00			`chain forward {`
			`type filter hook forward priority 0; policy drop;`
			`${optionalString (cfg.trustedInterfaces != []) "\n iifname ${trusted'} accept\n"}`
			`ct state related,established accept`
nixos: Test setup with public networking 2022-05-28 22:59:50 +01:00
			`${allowICMP}`
			`${allowICMP6}`
			`${allowUDPTraceroute}`
Apply nixpkgs-fmt 2022-02-13 13:10:21 +00:00			`}`
			`chain output {`
			`type filter hook output priority 0; policy accept;`
			`}`
			`}`
Add firewall module Also: tmproot tweaks 2022-02-12 01:53:57 +00:00
nixos/firewall: Fixes for NAT and IPv6 2022-05-28 21:50:26 +01:00			`table inet nat {`
Apply nixpkgs-fmt 2022-02-13 13:10:21 +00:00			`chain prerouting {`
nixos: Working ACME certs 2022-06-06 00:18:24 +01:00			`type nat hook prerouting priority dstnat;`
Apply nixpkgs-fmt 2022-02-13 13:10:21 +00:00			`}`
nixos/git: Fix for local access to git.nul.ie 2023-12-09 16:30:06 +00:00			`chain output {`
			`type nat hook output priority dstnat;`
			`}`
Apply nixpkgs-fmt 2022-02-13 13:10:21 +00:00			`chain postrouting {`
nixos: Working ACME certs 2022-06-06 00:18:24 +01:00			`type nat hook postrouting priority srcnat;`
Add firewall module Also: tmproot tweaks 2022-02-12 01:53:57 +00:00			`}`
nixos/colony: Replicate port forwards for internal routing 2023-12-11 15:05:42 +00:00			`chain input {`
			`type nat hook input priority srcnat;`
			`}`
Apply nixpkgs-fmt 2022-02-13 13:10:21 +00:00			`}`
Add firewall module Also: tmproot tweaks 2022-02-12 01:53:57 +00:00
Apply nixpkgs-fmt 2022-02-13 13:10:21 +00:00			`${cfg.extraRules}`
			`'';`
Add firewall module Also: tmproot tweaks 2022-02-12 01:53:57 +00:00			`};`
Apply nixpkgs-fmt 2022-02-13 13:10:21 +00:00			`};`
			`}`
nixos/firewall: Add ability to forward per external IP 2023-12-11 14:59:40 +00:00			`(mkIf cfg.nat.enable (`
			`let`
			`iifForward = typeOf cfg.nat.forwardPorts == "list" && cfg.nat.forwardPorts != [ ];`
			`dipForward = typeOf cfg.nat.forwardPorts == "set" && cfg.nat.forwardPorts != { };`
			`in`
			`{`
Apply nixpkgs-fmt 2022-02-13 13:10:21 +00:00			`assertions = [`
			`{`
nixos/firewall: Add ability to forward per external IP 2023-12-11 14:59:40 +00:00			`assertion = with cfg.nat; iifForward -> (externalInterface != null);`
			`message = "my.firewall.nat.forwardPorts as list requires my.firewall.nat.externalInterface";`
Apply nixpkgs-fmt 2022-02-13 13:10:21 +00:00			`}`
			`];`
Add firewall module Also: tmproot tweaks 2022-02-12 01:53:57 +00:00
Apply nixpkgs-fmt 2022-02-13 13:10:21 +00:00			`# Yoinked from nixpkgs/nixos/modules/services/networking/nat.nix`
			`boot = {`
			`kernel.sysctl = {`
			`"net.ipv4.conf.all.forwarding" = mkOverride 99 true;`
			`"net.ipv4.conf.default.forwarding" = mkOverride 99 true;`
			`} // optionalAttrs config.networking.enableIPv6 {`
			`# Do not prevent IPv6 autoconfiguration.`
			`# See <http://strugglers.net/~andy/blog/2011/09/04/linux-ipv6-router-advertisements-and-forwarding/>.`
			`"net.ipv6.conf.all.accept_ra" = mkOverride 99 2;`
			`"net.ipv6.conf.default.accept_ra" = mkOverride 99 2;`
Add firewall module Also: tmproot tweaks 2022-02-12 01:53:57 +00:00
Apply nixpkgs-fmt 2022-02-13 13:10:21 +00:00			`# Forward IPv6 packets.`
			`"net.ipv6.conf.all.forwarding" = mkOverride 99 true;`
			`"net.ipv6.conf.default.forwarding" = mkOverride 99 true;`
Add firewall module Also: tmproot tweaks 2022-02-12 01:53:57 +00:00			`};`
Apply nixpkgs-fmt 2022-02-13 13:10:21 +00:00			`};`
Add firewall module Also: tmproot tweaks 2022-02-12 01:53:57 +00:00
Apply nixpkgs-fmt 2022-02-13 13:10:21 +00:00			`my.firewall.extraRules =`
			`let`
nixos/colony: Replicate port forwards for internal routing 2023-12-11 15:05:42 +00:00			`inherit (lib.my.nft) natFilterChain dnatChain;`
nixos/firewall: Add ability to forward per external IP 2023-12-11 14:59:40 +00:00			`ipK = ip: "ip${optionalString (isIPv6 ip) "6"}";`

Apply nixpkgs-fmt 2022-02-13 13:10:21 +00:00			`makeFilter = f:`
nixos/firewall: Add ability to forward per external IP 2023-12-11 14:59:40 +00:00			`"${ipK f.dst} daddr ${f.dst} ${f.proto} dport ${toString f.dstPort} accept";`
nixos/firewall: Fixes for NAT and IPv6 2022-05-28 21:50:26 +01:00			`makeForward = f:`
nixos/firewall: Add ability to forward per external IP 2023-12-11 14:59:40 +00:00			`"${f.proto} dport ${toString f.port} dnat ${ipK f.dst} to ${f.dst}:${toString f.dstPort}";`
nixos/colony: Replicate port forwards for internal routing 2023-12-11 15:05:42 +00:00
			`dnatJumps = ''`
			`${optionalString`
			`iifForward`
			`"iifname ${cfg.nat.externalInterface} jump iif-port-forward"}`
			`${optionalString`
			`dipForward`
			`(concatMapStringsSep "\n " (ip: "${ipK ip} daddr ${ip} jump ${dnatChain ip}") (attrNames cfg.nat.forwardPorts))}`
			`'';`
Apply nixpkgs-fmt 2022-02-13 13:10:21 +00:00			`in`
			`''`
			`table inet filter {`
nixos/firewall: Add ability to forward per external IP 2023-12-11 14:59:40 +00:00			`${optionalString iifForward ''`
			`chain filter-iif-port-forwards {`
			`${concatMapStringsSep "\n " makeFilter cfg.nat.forwardPorts}`
			`return`
			`}`
			`''}`
			`${optionalString`
			`dipForward`
			`(concatStringsSep "\n" (mapAttrsToList (ip: fs: ''`
nixos/colony: Replicate port forwards for internal routing 2023-12-11 15:05:42 +00:00			`chain ${natFilterChain ip} {`
nixos/firewall: Add ability to forward per external IP 2023-12-11 14:59:40 +00:00			`${concatMapStringsSep "\n " makeFilter fs}`
			`return`
			`}`
			`'') cfg.nat.forwardPorts))}`

Apply nixpkgs-fmt 2022-02-13 13:10:21 +00:00			`chain forward {`
Add initial installer 2022-02-17 15:47:24 +00:00			`${optionalString`
nixos/firewall: Add ability to forward per external IP 2023-12-11 14:59:40 +00:00			`iifForward`
			`"iifname ${cfg.nat.externalInterface} jump filter-iif-port-forwards"}`
			`${optionalString`
			`dipForward`
nixos/whale2: Add Minecraft server 2024-01-01 16:28:04 +00:00			`(concatMapStringsSep "\n " (ip: "jump ${natFilterChain ip}") (attrNames cfg.nat.forwardPorts))}`
Apply nixpkgs-fmt 2022-02-13 13:10:21 +00:00			`}`
			`}`
Add firewall module Also: tmproot tweaks 2022-02-12 01:53:57 +00:00
nixos/firewall: Fixes for NAT and IPv6 2022-05-28 21:50:26 +01:00			`table inet nat {`
nixos/firewall: Add ability to forward per external IP 2023-12-11 14:59:40 +00:00			`${optionalString iifForward ''`
			`chain iif-port-forward {`
			`${concatMapStringsSep "\n " makeForward cfg.nat.forwardPorts}`
			`return`
			`}`
			`''}`
			`${optionalString`
			`dipForward`
			`(concatStringsSep "\n" (mapAttrsToList (ip: fs: ''`
nixos/colony: Replicate port forwards for internal routing 2023-12-11 15:05:42 +00:00			`chain ${dnatChain ip} {`
nixos/firewall: Add ability to forward per external IP 2023-12-11 14:59:40 +00:00			`${concatMapStringsSep "\n " makeForward fs}`
			`return`
			`}`
			`'') cfg.nat.forwardPorts))}`

Apply nixpkgs-fmt 2022-02-13 13:10:21 +00:00			`chain prerouting {`
nixos/colony: Replicate port forwards for internal routing 2023-12-11 15:05:42 +00:00			`${dnatJumps}`
			`}`
			`chain output {`
			`${dnatJumps}`
Add firewall module Also: tmproot tweaks 2022-02-12 01:53:57 +00:00			`}`
Apply nixpkgs-fmt 2022-02-13 13:10:21 +00:00			`}`
			`'';`
nixos/firewall: Add ability to forward per external IP 2023-12-11 14:59:40 +00:00			`}))`
Apply nixpkgs-fmt 2022-02-13 13:10:21 +00:00			`]);`
Add capability to choose home-manager branch 2022-02-15 20:50:27 +00:00
			`meta.buildDocsInSandbox = false;`
Apply nixpkgs-fmt 2022-02-13 13:10:21 +00:00			`}`