rope/nixos
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

router: also accept docker user-defined bridges (br-*)

Browse source 
Forgejo's runner spins up a per-workflow Docker network for every job,
which lives on a br-XXXXXX bridge — not docker0. Without this rule, the
in-container git clone (and anything else outbound) hits the forward
chain's default-deny and times out. Match docker0 plus the br-* glob in
both input and forward so any Docker network model works.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
ediblerope 2026-05-01 19:10:29 +01:00
parent bcefe9aa26
commit 670ff0a9f9
1 changed files with 10 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

16
services/router.nix
View file

@ -112,10 +112,12 @@ in
# LAN is trusted # LAN is trusted
iifname "eth0" accept iifname "eth0" accept
# Docker containers reaching host services (e.g. Profilarr → Radarr # Docker containers reaching host services (e.g. Profilarr → Radarr
# on 10.0.0.1:7878). The forward chain already trusts docker0 for # on 10.0.0.1:7878). The forward chain already trusts docker bridges
# outbound; this is the matching INPUT rule for traffic landing on # for outbound; this is the matching INPUT rule for traffic landing
# the host's own LAN/bridge IPs from a container. # on the host's own LAN/bridge IPs from a container. The br-* glob
iifname "docker0" accept # covers user-defined networks (the Forgejo runner creates one per
# workflow), so it doesn't fall through to the default-deny policy.
iifname { "docker0", "br-*" } accept
# Phase 1: also trust the existing eero subnet on eno1 so SSH # Phase 1: also trust the existing eero subnet on eno1 so SSH
# and AdGuard DNS keep working during the transition. # and AdGuard DNS keep working during the transition.
${legacyTrustRules} ${legacyTrustRules}
@ -131,8 +133,10 @@ in
ct state invalid drop ct state invalid drop
# LAN → anywhere # LAN → anywhere
iifname "eth0" accept iifname "eth0" accept
# Docker containers → anywhere (needed for image pulls, LinuxGSM bootstrap, etc.) # Docker containers → anywhere (needed for image pulls, LinuxGSM
iifname "docker0" accept # bootstrap, Forgejo runner workflows, etc.). br-* matches the
# user-defined bridges Docker creates for custom networks.
iifname { "docker0", "br-*" } accept
# WAN → any port-forward target (LAN host or docker container) # WAN → any port-forward target (LAN host or docker container)
iifname "eno1" ct status dnat accept iifname "eno1" ct status dnat accept
} }