Add option networking.nat.internalInterfaces

This allows applying NAT to an interface, rather than an IP range.
This commit is contained in:
Eelco Dolstra 2014-04-10 14:23:38 +02:00
parent ac8c924c09
commit a34bfbab4c

View File

@ -10,6 +10,8 @@ let
cfg = config.networking.nat;
dest = if cfg.externalIP == null then "-j MASQUERADE" else "-j SNAT --to-source ${cfg.externalIP}";
in
{
@ -27,14 +29,27 @@ in
'';
};
networking.nat.internalInterfaces = mkOption {
type = types.listOf types.str;
default = [];
example = [ "eth0" ];
description =
''
The interfaces for which to perform NAT. Packets coming from
these interface and destined for the external interface will
be rewritten.
'';
};
networking.nat.internalIPs = mkOption {
type = types.listOf types.str;
example = [ "192.168.1.0/24" ] ;
default = [];
example = [ "192.168.1.0/24" ];
description =
''
The IP address ranges for which to perform NAT. Packets
coming from these networks and destined for the external
interface will be rewritten.
coming from these addresses (on any interface) and destined
for the external interface will be rewritten.
'';
};
@ -80,25 +95,37 @@ in
preStart =
''
iptables -t nat -F PREROUTING
iptables -t nat -F POSTROUTING
iptables -t nat -X
''
+ (concatMapStrings (network:
''
iptables -t nat -A POSTROUTING \
-s ${network} -o ${cfg.externalInterface} \
${if cfg.externalIP == null
then "-j MASQUERADE"
else "-j SNAT --to-source ${cfg.externalIP}"}
''
) cfg.internalIPs) +
''
# We can't match on incoming interface in POSTROUTING, so
# mark packets coming from the external interfaces.
${concatMapStrings (iface: ''
iptables -t nat -A PREROUTING \
-i '${iface}' -j MARK --set-mark 1
'') cfg.internalInterfaces}
# NAT the marked packets.
${optionalString (cfg.internalInterfaces != []) ''
iptables -t nat -A POSTROUTING -m mark --mark 1 \
-o ${cfg.externalInterface} ${dest}
''}
# NAT packets coming from the internal IPs.
${concatMapStrings (range: ''
iptables -t nat -A POSTROUTING \
-s '${range}' -o ${cfg.externalInterface} ${dest}}
'') cfg.internalIPs}
echo 1 > /proc/sys/net/ipv4/ip_forward
'';
postStop =
''
iptables -t nat -F PREROUTING
iptables -t nat -F POSTROUTING
iptables -t nat -X
'';
};
};