From 18b2466ba3438c1e7568cee5d99726bffe28966a Mon Sep 17 00:00:00 2001
From: Mel <mel@rnrd.eu>
Date: Sun, 31 Aug 2025 22:55:32 +0200
Subject: Make IPv6 custom docker foundation networks work with various
 ip6tables rules... Phew...

Signed-off-by: Mel <mel@rnrd.eu>
---
 modules/foundation/services/networks.nix | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

(limited to 'modules/foundation/services')

diff --git a/modules/foundation/services/networks.nix b/modules/foundation/services/networks.nix
index 72e5b48..8be5723 100644
--- a/modules/foundation/services/networks.nix
+++ b/modules/foundation/services/networks.nix
@@ -168,6 +168,27 @@ in
       "net.ipv6.conf.default.forwarding" = 1;
     };
 
+    networking.firewall = {
+      # both options should work together to let all packets coming from
+      # docker bridges through.
+      trustedInterfaces = [ "br-*" ];
+      extraCommands = ''
+        # allow inbound packets
+        ip6tables -A nixos-fw -i br-+ -j nixos-fw-accept 2>/dev/null || true
+
+        # allow outbound to the docker bridge
+        ip6tables -A nixos-fw -o br-+ -j nixos-fw-accept 2>/dev/null || true
+
+        # allow forwarding between bridges+external interfaces
+        ip6tables -I FORWARD -i br-+ -j ACCEPT 2>/dev/null || true
+        ip6tables -I FORWARD -o br-+ -j ACCEPT 2>/dev/null || true
+
+        # allow return traffic
+        # note: nothing works without this!
+        ip6tables -I FORWARD ! -i br-+ -o br-+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 2>/dev/null || true
+      '';
+    };
+
     systemd.services =
       let
         prefixOffset = 100;
-- 
cgit 1.4.1