nixos/nat: Don't flush tables, create subchains for autogenerated rules

nixos/modules/services/networking/nat.nix

@@ -13,38 +13,49 @@ let
   dest = if cfg.externalIP == null then "-j MASQUERADE" else "-j SNAT --to-source ${cfg.externalIP}";
 
   flushNat = ''
-    iptables -w -t nat -F PREROUTING
-    iptables -w -t nat -F POSTROUTING
-    iptables -w -t nat -X
+    iptables -w -t nat -D PREROUTING -j nixos-nat-pre 2>/dev/null|| true
+    iptables -w -t nat -F nixos-nat-pre 2>/dev/null || true
+    iptables -w -t nat -X nixos-nat-pre 2>/dev/null || true
+    iptables -w -t nat -D POSTROUTING -j nixos-nat-post 2>/dev/null || true
+    iptables -w -t nat -F nixos-nat-post 2>/dev/null || true
+    iptables -w -t nat -X nixos-nat-post 2>/dev/null || true
   '';
 
   setupNat = ''
+    # Create subchain where we store rules
+    iptables -w -t nat -N nixos-nat-pre
+    iptables -w -t nat -N nixos-nat-post
+
     # We can't match on incoming interface in POSTROUTING, so
     # mark packets coming from the external interfaces.
     ${concatMapStrings (iface: ''
-      iptables -w -t nat -A PREROUTING \
+      iptables -w -t nat -A nixos-nat-pre \
         -i '${iface}' -j MARK --set-mark 1
     '') cfg.internalInterfaces}
 
     # NAT the marked packets.
     ${optionalString (cfg.internalInterfaces != []) ''
-      iptables -w -t nat -A POSTROUTING -m mark --mark 1 \
+      iptables -w -t nat -A nixos-nat-post -m mark --mark 1 \
         -o ${cfg.externalInterface} ${dest}
     ''}
 
     # NAT packets coming from the internal IPs.
     ${concatMapStrings (range: ''
-      iptables -w -t nat -A POSTROUTING \
+      iptables -w -t nat -A nixos-nat-post \
         -s '${range}' -o ${cfg.externalInterface} ${dest}
     '') cfg.internalIPs}
 
     # NAT from external ports to internal ports.
     ${concatMapStrings (fwd: ''
-      iptables -w -t nat -A PREROUTING \
+      iptables -w -t nat -A nixos-nat-pre \
         -i ${cfg.externalInterface} -p tcp \
         --dport ${builtins.toString fwd.sourcePort} \
         -j DNAT --to-destination ${fwd.destination}
     '') cfg.forwardPorts}
+
+    # Append our chains to the nat tables
+    iptables -w -t nat -A PREROUTING -j nixos-nat-pre
+    iptables -w -t nat -A POSTROUTING -j nixos-nat-post
   '';
 
 in
@@ -157,7 +168,7 @@ in
       extraStopCommands = flushNat;
     };
 
-    systemd.services =  mkIf (!config.networking.firewall.enable) { nat = {
+    systemd.services = mkIf (!config.networking.firewall.enable) { nat = {
       description = "Network Address Translation";
       wantedBy = [ "network.target" ];
       after = [ "network-interfaces.target" "systemd-modules-load.service" ];

nixos/release-combined.nix

@@ -61,7 +61,8 @@ in rec {
         (all nixos.tests.kde4)
         (all nixos.tests.login)
         (all nixos.tests.misc)
-        (all nixos.tests.nat)
+        (all nixos.tests.nat.firewall)
+        (all nixos.tests.nat.standalone)
         (all nixos.tests.nfs3)
         (all nixos.tests.openssh)
         (all nixos.tests.printing)

nixos/release.nix

@@ -244,7 +244,8 @@ in rec {
   tests.munin = callTest tests/munin.nix {};
   tests.mysql = callTest tests/mysql.nix {};
   tests.mysqlReplication = callTest tests/mysql-replication.nix {};
-  tests.nat = callTest tests/nat.nix {};
+  tests.nat.firewall = callTest tests/nat.nix { withFirewall = true; };
+  tests.nat.standalone = callTest tests/nat.nix { withFirewall = false; };
   tests.nfs3 = callTest tests/nfs.nix { version = 3; };
   tests.nsd = callTest tests/nsd.nix {};
   tests.openssh = callTest tests/openssh.nix {};

nixos/tests/nat.nix

@@ -3,77 +3,81 @@
 # client on the inside network, a server on the outside network, and a
 # router connected to both that performs Network Address Translation
 # for the client.
+import ./make-test.nix ({ withFirewall, ... }:
+  let
+    unit = if withFirewall then "firewall" else "nat";
+  in
+  {
+    name = "nat${if withFirewall then "WithFirewall" else "Standalone"}";
 
-import ./make-test.nix {
-  name = "nat";
+    nodes =
+      { client =
+          { config, pkgs, nodes, ... }:
+          { virtualisation.vlans = [ 1 ];
+            networking.firewall.allowPing = true;
+            networking.defaultGateway =
+              (pkgs.lib.head nodes.router.config.networking.interfaces.eth2.ip4).address;
+          };
 
-  nodes =
-    { client =
-        { config, pkgs, nodes, ... }:
-        { virtualisation.vlans = [ 1 ];
-          networking.firewall.allowPing = true;
-          networking.defaultGateway =
-            (pkgs.lib.head nodes.router.config.networking.interfaces.eth2.ip4).address;
-        };
+        router =
+          { config, pkgs, ... }:
+          { virtualisation.vlans = [ 2 1 ];
+            networking.firewall.enable = withFirewall;
+            networking.firewall.allowPing = true;
+            networking.nat.enable = true;
+            networking.nat.internalIPs = [ "192.168.1.0/24" ];
+            networking.nat.externalInterface = "eth1";
+          };
 
-      router =
-        { config, pkgs, ... }:
-        { virtualisation.vlans = [ 2 1 ];
-          networking.firewall.allowPing = true;
-          networking.nat.enable = true;
-          networking.nat.internalIPs = [ "192.168.1.0/24" ];
-          networking.nat.externalInterface = "eth1";
-        };
+        server =
+          { config, pkgs, ... }:
+          { virtualisation.vlans = [ 2 ];
+            networking.firewall.enable = false;
+            services.httpd.enable = true;
+            services.httpd.adminAddr = "foo@example.org";
+            services.vsftpd.enable = true;
+            services.vsftpd.anonymousUser = true;
+          };
+      };
 
-      server =
-        { config, pkgs, ... }:
-        { virtualisation.vlans = [ 2 ];
-          networking.firewall.enable = false;
-          services.httpd.enable = true;
-          services.httpd.adminAddr = "foo@example.org";
-          services.vsftpd.enable = true;
-          services.vsftpd.anonymousUser = true;
-        };
-    };
+    testScript =
+      { nodes, ... }:
+      ''
+        startAll;
 
-  testScript =
-    { nodes, ... }:
-    ''
-      startAll;
+        # The router should have access to the server.
+        $server->waitForUnit("network.target");
+        $server->waitForUnit("httpd");
+        $router->waitForUnit("network.target");
+        $router->succeed("curl --fail http://server/ >&2");
 
-      # The router should have access to the server.
-      $server->waitForUnit("network.target");
-      $server->waitForUnit("httpd");
-      $router->waitForUnit("network.target");
-      $router->succeed("curl --fail http://server/ >&2");
+        # The client should be also able to connect via the NAT router.
+        $router->waitForUnit("${unit}");
+        $client->waitForUnit("network.target");
+        $client->succeed("curl --fail http://server/ >&2");
+        $client->succeed("ping -c 1 server >&2");
 
-      # The client should be also able to connect via the NAT router.
-      $router->waitForUnit("nat");
-      $client->waitForUnit("network.target");
-      $client->succeed("curl --fail http://server/ >&2");
-      $client->succeed("ping -c 1 server >&2");
+        # Test whether passive FTP works.
+        $server->waitForUnit("vsftpd");
+        $server->succeed("echo Hello World > /home/ftp/foo.txt");
+        $client->succeed("curl -v ftp://server/foo.txt >&2");
 
-      # Test whether passive FTP works.
-      $server->waitForUnit("vsftpd");
-      $server->succeed("echo Hello World > /home/ftp/foo.txt");
-      $client->succeed("curl -v ftp://server/foo.txt >&2");
+        # Test whether active FTP works.
+        $client->succeed("curl -v -P - ftp://server/foo.txt >&2");
 
-      # Test whether active FTP works.
-      $client->succeed("curl -v -P - ftp://server/foo.txt >&2");
+        # Test ICMP.
+        $client->succeed("ping -c 1 router >&2");
+        $router->succeed("ping -c 1 client >&2");
 
-      # Test ICMP.
-      $client->succeed("ping -c 1 router >&2");
-      $router->succeed("ping -c 1 client >&2");
+        # If we turn off NAT, the client shouldn't be able to reach the server.
+        $router->succeed("iptables -t nat -D PREROUTING -j nixos-nat-pre");
+        $router->succeed("iptables -t nat -D POSTROUTING -j nixos-nat-post");
+        $client->fail("curl --fail --connect-timeout 5 http://server/ >&2");
+        $client->fail("ping -c 1 server >&2");
 
-      # If we turn off NAT, the client shouldn't be able to reach the server.
-      $router->stopJob("nat");
-      $client->fail("curl --fail --connect-timeout 5 http://server/ >&2");
-      $client->fail("ping -c 1 server >&2");
-
-      # And make sure that restarting the NAT job works.
-      $router->succeed("systemctl start nat");
-      $client->succeed("curl --fail http://server/ >&2");
-      $client->succeed("ping -c 1 server >&2");
-    '';
-
-}
+        # And make sure that reloading the NAT job works.
+        $router->succeed("systemctl restart ${unit}");
+        $client->succeed("curl --fail http://server/ >&2");
+        $client->succeed("ping -c 1 server >&2");
+      '';
+  })