| 7 Feb 2026 |
 K900 | However, right now our firewall basically does ct status dnat accept | 22:05:44 |
| K900 | Which works for v4 because there is NAT | 22:05:49 |
| K900 | But not for v6, because pinholing is not NAT | 22:05:55 |
| K900 | And the miniupnpd chain is never actually hit | 22:06:04 |
| K900 | So uhhh | 22:06:13 |
| K900 | Thoughts | 22:06:14 |
 raitobezarius | not deeply familiar with pinholing but doesn't it have any conntrack correspondance? | 22:15:06 |
| K900 | Nope | 22:16:34 |
| K900 | It's basically just adding a rule for "ip daddr ... tcp dport ... accept" | 22:17:06 |
| K900 | You do it on the global IPv6 | 22:17:35 |
| K900 | So the default is to not forward anything into the LAN but a client can ask nicely | 22:17:47 |
| raitobezarius | so if this thing dynamically add a ip daddr X tcp dport Y accept, aren't you just missing ip6_forwarding=1 ? | 22:19:29 |
| K900 | The problem is that it's adding it to its own chain | 22:19:51 |
| K900 | That is not hooked up to anything | 22:19:55 |
| K900 | And right now our normal firewall doesn't know it exists | 22:20:10 |
| raitobezarius | so why not jump to that chain inside your main filter table? | 22:20:15 |
| K900 | That's what I'm currently doing, but the nixos module sets it up as another table entirely | 22:20:34 |
| K900 | So you can't even jump to it from the normal filter rules | 22:20:50 |
| raitobezarius | i don't think it makes a lot of sense | 22:21:47 |
| raitobezarius | it should be a chain of the filter table | 22:21:53 |
| raitobezarius | miniupd is not its entire networking stack with its entire lifecycle | 22:22:01 |
| raitobezarius | otherwise, idk, you need to have another script that listens and modify the whole nftables config live | 22:23:03 |
| raitobezarius | while understanding what the fuck is going on | 22:23:07 |
| K900 | Yeah | 22:30:26 |
| K900 | Starting to have a design formulating in my head | 23:03:55 |
| K900 | I think | 23:03:56 |
| K900 | Step 1, RFC42 the thing | 23:04:03 |
| K900 | Step 2, services.miniupnpd.firewallIntegration or whatever, which requires filterForward and just makes it write to the nixos-fw table | 23:04:39 |
| K900 | Step 3, probably turn that on by default? | 23:04:56 |
|  zimward joined the room. | 23:18:56 |
