NAT module: allow hot rules replace after nixos-rebuild switch

[danbst]

I was playing with NAT module and suddenly realized, that nothing changes whatever options I set. Port forwarding didn't work. I checked iptables -t nat -L --- it was empty for this configuration:

   networking.nat.enable = true;
   networking.nat.forwardPorts = [
     { destination = "127.0.0.1:22"; sourcePort = 1022; }
   ];

After a bit of struggle and couple of lost hours I added locally this line:

systemd.services.nat.wantedBy = [ "default.target" ];

Now I can change nat rules in configuration.nix and they are correctly applied after switch.

[mention-bot]

By analyzing the blame information on this pull request, we identified @wkennington, @edolstra and @lethalman to be potential reviewers

[edolstra]

The real question is why do we have a nat.service to begin with, rather than a generic iptables.service. (The NAT rules do get reloaded properly when the firewall is enabled.)

[danbst]

@edolstra I cannot confirm that reloading is working when firewall enabled. I'm using this declarative container for test:

{ config, pkgs, lib, ... }:
{
   networking.enableIPv6 = lib.mkForce false;

   containers.testnat2 =
     { privateNetwork = true;
       hostAddress = "192.168.101.1";
       localAddress = "192.168.101.12";

       config = 
         { networking.firewall.enable = true;
           networking.enableIPv6 = false;
           networking.nat.enable = true;
           networking.nat.forwardPorts = [
             { destination = "192.168.101.12:22"; sourcePort = 2023; }
           ];
           networking.nat.internalInterfaces = ["eth0"];
           networking.nat.externalInterface = "eth0";

           services.openssh.enable = true;
       };
     };
}

After I change sourcePort = 2023; to sourcePort = 2025; and run nixos-rebuild switch && nixos-container update, I see this in iptables:

[root@testnat2:~]# iptables -n -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
nixos-nat-pre  all  --  0.0.0.0/0            0.0.0.0/0

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
nixos-nat-post  all  --  0.0.0.0/0            0.0.0.0/0

Chain nixos-nat-post (1 references)
target     prot opt source               destination
MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0            mark match 0x1

Chain nixos-nat-pre (1 references)
target     prot opt source               destination
MARK       all  --  0.0.0.0/0            0.0.0.0/0            MARK set 0x1
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:2023 to:192.168.101.12:22

This can be fixed by systemd.services.firewall.wantedBy = [ "default.target" ]; too

generic iptables.service

+1, it is kind of confusing for newbies that nat and firewall are same thing. Also, it would simplify switch to nftables. But I can't do that in nearest future, hence this PR

[edolstra]

Is that on master or 16.03? I tried on 16.03 and it seemed to work.

[danbst]

I'm on 16.03 too

[danbst]

Unfortunately I am not able to write test that involves nixos-rebuild. I've looked at installer.nix test, but couldn't extract the essentials (SSL CA cert errors, nixpkgs not found errors, curl errors), so I can't currently prove my point.

[danbst]

@edolstra I have more information on this subject, wrt firewall.

When I change option networking.firewall.allowedTCPPorts, firewall service does reload, so here I confirm you that reload works.

When I disable firewall with networking.firewall.enable = lib.mkForce false;, it is stopped.

But when I enable firewall again with networking.firewall.enable = lib.mkForce true;, it doesn't start. Actually, this is the same as with NAT - no changes are applied because nat service didn't start with networking.nat.enable = true;.

After I manually sudo start firewall reloading on config changes works again.

All tests I'm doing in container.

[danbst]

Seems like default.target is not the correct one, but multi-user.target. Here is how I've fixed firewall:

         systemd.services.firewall = lib.mkIf config.networking.firewall.enable {
           wantedBy = [ "multi-user.target" ];
         };

I think, I should review my PR once more and better understand the difference between default and multi-user.

[groxxda]

default.target is a symlink to multi-user.target

[danbst]

Closing this PR because now I think it's too hackish solution. The root problem is somewhat related to network.target, because nat, firewall, bridges and default gateway config all suffer from this problem. Hope someone will fix #16230 properly and that will fix my issue too.