diff options
Diffstat (limited to 'modules/tunnel/ingress.nix')
| -rw-r--r-- | modules/tunnel/ingress.nix | 15 |
1 files changed, 6 insertions, 9 deletions
diff --git a/modules/tunnel/ingress.nix b/modules/tunnel/ingress.nix index 8a6ae3b..1ea1613 100644 --- a/modules/tunnel/ingress.nix +++ b/modules/tunnel/ingress.nix @@ -32,10 +32,6 @@ let mtu = 1400; in { - boot.kernel.sysctl = { - "net.ipv4.ip_forward" = 1; # allow ipv4 forwarding - }; - networking.firewall = { allowedUDPPorts = map (x: x.port) paths; allowedTCPPorts = map (x: x.port) paths; @@ -118,12 +114,13 @@ in # allow forwarding packets between egress and ingress, but avoid any snat, # ip should always keep it's origin form, for correct egress routing. # also adapt mss to outgoing mss value, so that we don't shatter packets. - networking.nftables.ruleset = + networking.nftables.tables.tunnel-forward = let ingressInterfaces = concatImapStringsSep "\", \"" (i: _: ingressName (i - 1)) paths; in - '' - table inet filter { + { + family = "inet"; + content = '' chain forward { type filter hook forward priority 0; policy drop; @@ -132,8 +129,8 @@ in iifname { "${ingressInterfaces}" } oifname "${egressName}" accept iifname "${egressName}" oifname { "${ingressInterfaces}" } accept } - } - ''; + ''; + }; # sing-box is a vpn client supporting various protocols which will allow us # to configure it in whichever way we want to avoid russian dpi. |