diff options
| author | Mel <mel@rnrd.eu> | 2026-04-24 23:35:19 +0200 |
|---|---|---|
| committer | Mel <mel@rnrd.eu> | 2026-04-24 23:35:19 +0200 |
| commit | 56c22cf8ae9de73bbc1c37ce0b1635ae7af9be64 (patch) | |
| tree | 3ba1ca13dcf1ed9c0013f6bffddaee9392991b16 /modules/tunnel | |
| parent | 127d8ff2c2e77a0cbfc7a2a3c962ef23b5ab7261 (diff) | |
| download | network-56c22cf8ae9de73bbc1c37ce0b1635ae7af9be64.tar.zst network-56c22cf8ae9de73bbc1c37ce0b1635ae7af9be64.zip | |
Migrate fully to systemd-networkd and nftables
Signed-off-by: Mel <mel@rnrd.eu>
Diffstat (limited to 'modules/tunnel')
| -rw-r--r-- | modules/tunnel/ingress.nix | 15 |
1 files changed, 6 insertions, 9 deletions
diff --git a/modules/tunnel/ingress.nix b/modules/tunnel/ingress.nix index 8a6ae3b..1ea1613 100644 --- a/modules/tunnel/ingress.nix +++ b/modules/tunnel/ingress.nix @@ -32,10 +32,6 @@ let mtu = 1400; in { - boot.kernel.sysctl = { - "net.ipv4.ip_forward" = 1; # allow ipv4 forwarding - }; - networking.firewall = { allowedUDPPorts = map (x: x.port) paths; allowedTCPPorts = map (x: x.port) paths; @@ -118,12 +114,13 @@ in # allow forwarding packets between egress and ingress, but avoid any snat, # ip should always keep it's origin form, for correct egress routing. # also adapt mss to outgoing mss value, so that we don't shatter packets. - networking.nftables.ruleset = + networking.nftables.tables.tunnel-forward = let ingressInterfaces = concatImapStringsSep "\", \"" (i: _: ingressName (i - 1)) paths; in - '' - table inet filter { + { + family = "inet"; + content = '' chain forward { type filter hook forward priority 0; policy drop; @@ -132,8 +129,8 @@ in iifname { "${ingressInterfaces}" } oifname "${egressName}" accept iifname "${egressName}" oifname { "${ingressInterfaces}" } accept } - } - ''; + ''; + }; # sing-box is a vpn client supporting various protocols which will allow us # to configure it in whichever way we want to avoid russian dpi. |