From 826929571b2ee168d9dc0499e074a063ec90249e Mon Sep 17 00:00:00 2001
From: Simon Bruder <simon@sbruder.de>
Date: Tue, 8 Aug 2023 14:19:48 +0200
Subject: [PATCH] shinobu/router: Switch to nftables

---
 machines/shinobu/services/router.nix | 32 ++++++++++++++++++++++------
 1 file changed, 26 insertions(+), 6 deletions(-)

diff --git a/machines/shinobu/services/router.nix b/machines/shinobu/services/router.nix
index ba798fa..3a29508 100644
--- a/machines/shinobu/services/router.nix
+++ b/machines/shinobu/services/router.nix
@@ -43,13 +43,33 @@ in
   networking = {
     # networkd handles this
     useDHCP = false;
-    # networkd didn’t work that well for this
-    nat = {
+
+    nftables = {
       enable = true;
-      enableIPv6 = true;
-      externalInterface = "wg-upstream";
-      internalInterfaces = [ "br-lan" ];
-      internalIPv6s = [ "fd00:80:1::/64" ];
+      ruleset = ''
+        define NAT_LAN_IFACES = { "br-lan" }
+        define NAT_WAN_IFACES = { "wg-upstream" }
+
+        table inet filter {
+          chain forward {
+            type filter hook forward priority filter; policy drop;
+
+            iifname $NAT_LAN_IFACES oifname $NAT_WAN_IFACES counter accept;
+            iifname $NAT_WAN_IFACES oifname $NAT_LAN_IFACES ct state established,related counter accept;
+          }
+        }
+
+        table inet nat {
+          chain prerouting {
+            type nat hook prerouting priority filter; policy accept;
+          }
+
+          chain postrouting {
+            type nat hook postrouting priority filter; policy accept;
+            oifname $NAT_WAN_IFACES masquerade;
+          }
+        }
+      '';
     };
   };