!tCyGickeVqkHsYjWnh:nixos.org

NixOS Networking

914 Members
Declaratively manage your switching, routing, wireless, tunneling and more.269 Servers

Load older messages

SenderMessageTime
7 Feb 2026
@k900:0upti.meK900Hmm you know what actually19:16:33
@k900:0upti.meK900 networking.firewall.filterForward is a thing 19:16:39
@k900:0upti.meK900And does basically just enough and just stupid enough for me to enable it19:16:47
@albertlarsan68:albertlarsan.frAlbert LarsanI think it would break my dn42 stuff though19:17:19
@k900:0upti.meK900Hmm actually this kinda sucks now19:19:59
@k900:0upti.meK900I guess I need miniupnpd19:20:32
@k900:0upti.meK900OK so22:04:10
@k900:0upti.meK900I fell down a fucking hole again22:04:13
@k900:0upti.meK900Our miniupnpd can't do IPv6 pinholing22:04:31
@k900:0upti.meK900This enables it in just the package; https://github.com/NixOS/nixpkgs/pull/48810422:04:40
@k900:0upti.meK900Which is basically a no-op because it can't make anything worse22:04:47
@k900:0upti.meK900 However, right now our firewall basically does ct status dnat accept 22:05:44
@k900:0upti.meK900Which works for v4 because there is NAT22:05:49
@k900:0upti.meK900 But not for v6, because pinholing is not NAT 22:05:55
@k900:0upti.meK900And the miniupnpd chain is never actually hit22:06:04
@k900:0upti.meK900So uhhh22:06:13
@k900:0upti.meK900Thoughts22:06:14
@raitobezarius:matrix.orgraitobezariusnot deeply familiar with pinholing but doesn't it have any conntrack correspondance?22:15:06
@k900:0upti.meK900Nope22:16:34
@k900:0upti.meK900It's basically just adding a rule for "ip daddr ... tcp dport ... accept"22:17:06
@k900:0upti.meK900You do it on the global IPv622:17:35
@k900:0upti.meK900So the default is to not forward anything into the LAN but a client can ask nicely22:17:47
@raitobezarius:matrix.orgraitobezariusso if this thing dynamically add a ip daddr X tcp dport Y accept, aren't you just missing ip6_forwarding=1 ?22:19:29
@k900:0upti.meK900The problem is that it's adding it to its own chain22:19:51
@k900:0upti.meK900That is not hooked up to anything22:19:55
@k900:0upti.meK900And right now our normal firewall doesn't know it exists22:20:10
@raitobezarius:matrix.orgraitobezariusso why not jump to that chain inside your main filter table?22:20:15
@k900:0upti.meK900That's what I'm currently doing, but the nixos module sets it up as another table entirely22:20:34
@k900:0upti.meK900So you can't even jump to it from the normal filter rules22:20:50
@raitobezarius:matrix.orgraitobezariusi don't think it makes a lot of sense22:21:47

Show newer messages

Back to Room ListRoom Version: 6