Commit `004adc645cd6`

Vincent Demeester <vincent@sbr.pm>

2025-12-10 21:50:35

fix(aomi): Improve OpenShift port forwarding reliability

- Enable localhost access by adding OUTPUT chain NAT rules - Remove interface detection to avoid race conditions - Use mkForce for sysctl to override conflicting settings Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Vincent Demeester <vincent@sbr.pm>

main

1 parent a08bcc4

Changed files (1)

systems

aomi

openshift-port-forward.nix

@@ -1,10 +1,10 @@
-{ ... }:
+{ lib, ... }:
 
 {
   # Enable IP forwarding for libvirt network
   boot.kernel.sysctl = {
-    "net.ipv4.ip_forward" = 1;
-    "net.ipv6.conf.all.forwarding" = 1;
+    "net.ipv4.ip_forward" = lib.mkForce 1;
+    "net.ipv6.conf.all.forwarding" = lib.mkForce 1;
   };
 
   networking.firewall = {
@@ -17,31 +17,35 @@
     ];
 
     # NAT rules to forward traffic to OpenShift VM
+    # Using -i ! virbr1 to match all interfaces except the libvirt bridge
     extraCommands = ''
-      # Get the primary home network interface
-      HOME_IFACE=$(ip route | grep default | awk '{print $5}' | head -1)
+      # Forward HTTPS traffic (443) to OpenShift from any external interface
+      iptables -t nat -A PREROUTING ! -i virbr1 -p tcp --dport 443 -j DNAT --to-destination 192.168.100.7:443
 
-      # Forward HTTPS traffic (443) to OpenShift
-      iptables -t nat -A PREROUTING -i $HOME_IFACE -p tcp --dport 443 -j DNAT --to-destination 192.168.100.7:443
+      # Forward Kubernetes API (6443) to OpenShift from any external interface
+      iptables -t nat -A PREROUTING ! -i virbr1 -p tcp --dport 6443 -j DNAT --to-destination 192.168.100.7:6443
 
-      # Forward Kubernetes API (6443) to OpenShift
-      iptables -t nat -A PREROUTING -i $HOME_IFACE -p tcp --dport 6443 -j DNAT --to-destination 192.168.100.7:6443
+      # Forward from localhost (for commands running on aomi itself)
+      iptables -t nat -A OUTPUT -p tcp --dport 443 -d 192.168.1.23 -j DNAT --to-destination 192.168.100.7:443
+      iptables -t nat -A OUTPUT -p tcp --dport 6443 -d 192.168.1.23 -j DNAT --to-destination 192.168.100.7:6443
 
       # Enable masquerading for libvirt network to access internet
       iptables -t nat -A POSTROUTING -s 192.168.100.0/24 ! -d 192.168.100.0/24 -j MASQUERADE
 
-      # Allow forwarding between interfaces
-      iptables -A FORWARD -i $HOME_IFACE -o virbr1 -j ACCEPT
-      iptables -A FORWARD -i virbr1 -o $HOME_IFACE -j ACCEPT
+      # Allow forwarding to/from the libvirt network
+      iptables -A FORWARD -d 192.168.100.0/24 -j ACCEPT
+      iptables -A FORWARD -s 192.168.100.0/24 -j ACCEPT
     '';
 
     extraStopCommands = ''
-      HOME_IFACE=$(ip route | grep default | awk '{print $5}' | head -1)
-
       # Clean up forwarding rules
-      iptables -t nat -D PREROUTING -i $HOME_IFACE -p tcp --dport 443 -j DNAT --to-destination 192.168.100.7:443 2>/dev/null || true
-      iptables -t nat -D PREROUTING -i $HOME_IFACE -p tcp --dport 6443 -j DNAT --to-destination 192.168.100.7:6443 2>/dev/null || true
+      iptables -t nat -D PREROUTING ! -i virbr1 -p tcp --dport 443 -j DNAT --to-destination 192.168.100.7:443 2>/dev/null || true
+      iptables -t nat -D PREROUTING ! -i virbr1 -p tcp --dport 6443 -j DNAT --to-destination 192.168.100.7:6443 2>/dev/null || true
+      iptables -t nat -D OUTPUT -p tcp --dport 443 -d 192.168.1.23 -j DNAT --to-destination 192.168.100.7:443 2>/dev/null || true
+      iptables -t nat -D OUTPUT -p tcp --dport 6443 -d 192.168.1.23 -j DNAT --to-destination 192.168.100.7:6443 2>/dev/null || true
       iptables -t nat -D POSTROUTING -s 192.168.100.0/24 ! -d 192.168.100.0/24 -j MASQUERADE 2>/dev/null || true
+      iptables -D FORWARD -d 192.168.100.0/24 -j ACCEPT 2>/dev/null || true
+      iptables -D FORWARD -s 192.168.100.0/24 -j ACCEPT 2>/dev/null || true
     '';
   };
 }

Commit 004adc645cd6

Commit `004adc645cd6`