From ec32b9b849164d154b083ee2dccde5e94261073b Mon Sep 17 00:00:00 2001
From: ediblerope <fredrik@nordhammer.it>
Date: Sun, 26 Apr 2026 19:43:33 +0100
Subject: [PATCH] router: rename nat table to router-nat so Docker's chains
 survive rebuilds
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

NixOS's nftables module rebuilds the tables it owns on every activation,
which previously wiped Docker's DOCKER/PREROUTING chains in ip nat
(both Docker and the router were defining 'ip nat'). Renaming our
table sidesteps the collision — kernel hooks across separate tables
at the same priority all run, so functionality is unchanged.

Eliminates the need to run 'systemctl restart docker' after every
nixos-rebuild to restore container port-forwards.
---
 services/router.nix | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/services/router.nix b/services/router.nix
index e201a63..08cdbab 100644
--- a/services/router.nix
+++ b/services/router.nix
@@ -136,7 +136,12 @@ in
           }
         '';
       };
-      tables.nat = {
+      # Use a distinct table name so we don't share `ip nat` with Docker —
+      # Docker manages its own DOCKER/PREROUTING chains in `ip nat`, and
+      # NixOS's nftables module rebuilds whichever tables it owns on every
+      # activation, which would wipe Docker's rules. Hooks at the same
+      # priority across separate tables coexist fine.
+      tables.router-nat = {
         family = "ip";
         content = ''
           chain prerouting {