Make IPv6 custom docker foundation networks work with various ip6tables rules... Phew...

Signed-off-by: Mel <mel@rnrd.eu>

1 files changed, 21 insertions, 0 deletions

diff --git a/modules/foundation/services/networks.nix b/modules/foundation/services/networks.nix
index 72e5b48..8be5723 100644
--- a/modules/foundation/services/networks.nix
+++ b/modules/foundation/services/networks.nix
@@ -168,6 +168,27 @@ in
       "net.ipv6.conf.default.forwarding" = 1;
     };
 
+    networking.firewall = {
+      # both options should work together to let all packets coming from
+      # docker bridges through.
+      trustedInterfaces = [ "br-*" ];
+      extraCommands = ''
+        # allow inbound packets
+        ip6tables -A nixos-fw -i br-+ -j nixos-fw-accept 2>/dev/null || true
+
+        # allow outbound to the docker bridge
+        ip6tables -A nixos-fw -o br-+ -j nixos-fw-accept 2>/dev/null || true
+
+        # allow forwarding between bridges+external interfaces
+        ip6tables -I FORWARD -i br-+ -j ACCEPT 2>/dev/null || true
+        ip6tables -I FORWARD -o br-+ -j ACCEPT 2>/dev/null || true
+
+        # allow return traffic
+        # note: nothing works without this!
+        ip6tables -I FORWARD ! -i br-+ -o br-+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 2>/dev/null || true
+      '';
+    };
+
     systemd.services =
       let
         prefixOffset = 100;