From 568b815d8d795fdfc1d67844548c53aa009506cc Mon Sep 17 00:00:00 2001
From: ediblerope <fredrik@nordhammer.it>
Date: Sat, 25 Apr 2026 15:35:26 +0100
Subject: [PATCH] router: allow docker0 forward and expose 7dtd-coop ports
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Container outbound (image pulls, LinuxGSM bootstrap fetches) was
dropped by the inet filter forward chain — only eth0 and DNAT'd
WAN traffic were whitelisted. Add iifname "docker0" accept so
containers can reach the internet.

Also add the coop server's 26910/26911-26912 forwards to ports.toml
so WAN players can connect.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 ports.toml          | 10 ++++++++++
 services/router.nix |  2 ++
 2 files changed, 12 insertions(+)

diff --git a/ports.toml b/ports.toml
index 95da6d4..bdf1547 100644
--- a/ports.toml
+++ b/ports.toml
@@ -34,3 +34,13 @@ protocol = "both"
 name = "7DTD voice/dynamic"
 ports = "26901-26902"
 protocol = "udp"
+
+[[forward]]
+name = "7DTD-coop game"
+port = 26910
+protocol = "both"
+
+[[forward]]
+name = "7DTD-coop voice/dynamic"
+ports = "26911-26912"
+protocol = "udp"
diff --git a/services/router.nix b/services/router.nix
index cf480ef..7da9a2d 100644
--- a/services/router.nix
+++ b/services/router.nix
@@ -126,6 +126,8 @@ in
             ct state invalid drop
             # LAN → anywhere
             iifname "eth0" accept
+            # Docker containers → anywhere (needed for image pulls, LinuxGSM bootstrap, etc.)
+            iifname "docker0" accept
             # WAN → LAN only if it was DNAT'd by a port-forward rule
             iifname "eno1" oifname "eth0" ct status dnat accept
           }