rope/nixos
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

router: rename nat table to router-nat so Docker's chains survive rebuilds

Browse source 
NixOS's nftables module rebuilds the tables it owns on every activation,
which previously wiped Docker's DOCKER/PREROUTING chains in ip nat
(both Docker and the router were defining 'ip nat'). Renaming our
table sidesteps the collision — kernel hooks across separate tables
at the same priority all run, so functionality is unchanged.

Eliminates the need to run 'systemctl restart docker' after every
nixos-rebuild to restore container port-forwards.
This commit is contained in:
ediblerope 2026-04-26 19:43:33 +01:00
parent c1750c8538
commit ec32b9b849
1 changed files with 6 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

7
services/router.nix
View file

@ -136,7 +136,12 @@ in
}
'';
};
tables.nat = {
# Use a distinct table name so we don't share `ip nat` with Docker —
# Docker manages its own DOCKER/PREROUTING chains in `ip nat`, and
# NixOS's nftables module rebuilds whichever tables it owns on every
# activation, which would wipe Docker's rules. Hooks at the same
# priority across separate tables coexist fine.
tables.router-nat = {
family = "ip";
content = ''
chain prerouting {