forked from mirrors/nixpkgs
Use iptables' ‘-w’ flag
This prevents errors like "Another app is currently holding the xtables lock" if the firewall and NAT services are starting in parallel. (Longer term, we should probably move to a single service for managing the iptables rules.)
This commit is contained in:
Eelco Dolstra
parent
b9281e6a2d
commit
017408e048
nixos/modules/services/networking
|
|
@ -32,9 +32,9 @@ let
|
||||||
''
|
''
|
||||||
# Helper command to manipulate both the IPv4 and IPv6 tables.
|
# Helper command to manipulate both the IPv4 and IPv6 tables.
|
||||||
ip46tables() {
|
ip46tables() {
|
||||||
iptables "$@"
|
iptables -w "$@"
|
||||||
${optionalString config.networking.enableIPv6 ''
|
${optionalString config.networking.enableIPv6 ''
|
||||||
ip6tables "$@"
|
ip6tables -w "$@"
|
||||||
''}
|
''}
|
||||||
}
|
}
|
||||||
'';
|
'';
|
||||||
|
|
@ -386,7 +386,7 @@ in
|
||||||
|
|
||||||
# Optionally respond to ICMPv4 pings.
|
# Optionally respond to ICMPv4 pings.
|
||||||
${optionalString cfg.allowPing ''
|
${optionalString cfg.allowPing ''
|
||||||
iptables -A nixos-fw -p icmp --icmp-type echo-request ${optionalString (cfg.pingLimit != null)
|
iptables -w -A nixos-fw -p icmp --icmp-type echo-request ${optionalString (cfg.pingLimit != null)
|
||||||
"-m limit ${cfg.pingLimit} "
|
"-m limit ${cfg.pingLimit} "
|
||||||
}-j nixos-fw-accept
|
}-j nixos-fw-accept
|
||||||
''}
|
''}
|
||||||
|
|
|
||||||
|
|
@ -95,26 +95,26 @@ in
|
||||||
|
|
||||||
preStart =
|
preStart =
|
||||||
''
|
''
|
||||||
iptables -t nat -F PREROUTING
|
iptables -w -t nat -F PREROUTING
|
||||||
iptables -t nat -F POSTROUTING
|
iptables -w -t nat -F POSTROUTING
|
||||||
iptables -t nat -X
|
iptables -w -t nat -X
|
||||||
|
|
||||||
# We can't match on incoming interface in POSTROUTING, so
|
# We can't match on incoming interface in POSTROUTING, so
|
||||||
# mark packets coming from the external interfaces.
|
# mark packets coming from the external interfaces.
|
||||||
${concatMapStrings (iface: ''
|
${concatMapStrings (iface: ''
|
||||||
iptables -t nat -A PREROUTING \
|
iptables -w -t nat -A PREROUTING \
|
||||||
-i '${iface}' -j MARK --set-mark 1
|
-i '${iface}' -j MARK --set-mark 1
|
||||||
'') cfg.internalInterfaces}
|
'') cfg.internalInterfaces}
|
||||||
|
|
||||||
# NAT the marked packets.
|
# NAT the marked packets.
|
||||||
${optionalString (cfg.internalInterfaces != []) ''
|
${optionalString (cfg.internalInterfaces != []) ''
|
||||||
iptables -t nat -A POSTROUTING -m mark --mark 1 \
|
iptables -w -t nat -A POSTROUTING -m mark --mark 1 \
|
||||||
-o ${cfg.externalInterface} ${dest}
|
-o ${cfg.externalInterface} ${dest}
|
||||||
''}
|
''}
|
||||||
|
|
||||||
# NAT packets coming from the internal IPs.
|
# NAT packets coming from the internal IPs.
|
||||||
${concatMapStrings (range: ''
|
${concatMapStrings (range: ''
|
||||||
iptables -t nat -A POSTROUTING \
|
iptables -w -t nat -A POSTROUTING \
|
||||||
-s '${range}' -o ${cfg.externalInterface} ${dest}
|
-s '${range}' -o ${cfg.externalInterface} ${dest}
|
||||||
'') cfg.internalIPs}
|
'') cfg.internalIPs}
|
||||||
|
|
||||||
|
|
@ -123,9 +123,9 @@ in
|
||||||
|
|
||||||
postStop =
|
postStop =
|
||||||
''
|
''
|
||||||
iptables -t nat -F PREROUTING
|
iptables -w -t nat -F PREROUTING
|
||||||
iptables -t nat -F POSTROUTING
|
iptables -w -t nat -F POSTROUTING
|
||||||
iptables -t nat -X
|
iptables -w -t nat -X
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue