nft-update-addresses: implement dnat allow set

1 year ago · b62b67257f
parent c886e880f7
commit b62b67257f
1 changed files with 17 additions and 0 deletions
--- a/nix/packages/nft-update-addresses/nft-update-addresses.py
+++ b/nix/packages/nft-update-addresses/nft-update-addresses.py
@ -425,6 +425,16 @@ class InterfaceUpdateHandler(UpdateStackHandler[IpAddressUpdate]):
                    for port in portList
                ),
            )
+            yield NftUpdate(
+                obj_type="set",
+                obj_name=f"{set_prefix}dnat{proto.protocol}-allow",
+                operation=op,
+                values=tuple(
+                    f"{slaacs[mac].ip.compressed} . {lan}"
+                    for mac, portMap in proto.forwarded.items()
+                    for _, lan in portMap.items()
+                ),
+            )
            yield NftUpdate(
                obj_type="map",
                obj_name=f"{set_prefix}dnat{proto.protocol}",
@ -455,6 +465,13 @@ class InterfaceUpdateHandler(UpdateStackHandler[IpAddressUpdate]):
                        f"{addr_type} . inet_service",
                    )
                )
+                output.append(
+                    gen_set_def(
+                        "set",
+                        f"{set_prefix}dnat{proto.protocol}-allow",
+                        f"{addr_type} . inet_service",
+                    )
+                )
                output.append(
                    gen_set_def(
                        "map",