From 1f759b6d207131a57b548f200b77827aef67ae8f Mon Sep 17 00:00:00 2001
From: Benjamin Graillot <graillot@crans.org>
Date: Mon, 24 Aug 2020 14:12:23 +0200
Subject: [PATCH] [wireguard] Also NAT IPv6

---
 roles/wireguard/templates/nftables.conf | 24 +++++++++++++++++++-----
 1 file changed, 19 insertions(+), 5 deletions(-)

diff --git a/roles/wireguard/templates/nftables.conf b/roles/wireguard/templates/nftables.conf
index 107c269e..58493072 100644
--- a/roles/wireguard/templates/nftables.conf
+++ b/roles/wireguard/templates/nftables.conf
@@ -2,17 +2,31 @@
 
 flush ruleset
 
-{% set sputnik_ip = query('ldap', 'ip', 'sputnik', 'adm') %}
+{% set sputnik_ip = (query('ldap', 'ip', 'sputnik', 'adm') | ipv4)[0] %}
 table ip nat {
 	chain prerouting {
 		type nat hook prerouting priority 0; policy accept;
-		ip daddr {{ sputnik_ip }} dnat 172.31.0.2
+		ip daddr {{ sputnik_ip }} dnat to 172.31.0.2
 	}
 	chain postrouting {
 		type nat hook postrouting priority 100; policy accept;
-		ip saddr 172.31.0.2 ip protocol icmp snat {{ sputnik_ip }}
-		ip saddr 172.31.0.2 ip protocol tcp snat {{ sputnik_ip }}
-		ip saddr 172.31.0.2 ip protocol udp snat {{ sputnik_ip }}
+		ip saddr 172.31.0.2 ip protocol icmp snat to {{ sputnik_ip }}
+		ip saddr 172.31.0.2 ip protocol tcp snat to {{ sputnik_ip }}
+		ip saddr 172.31.0.2 ip protocol udp snat to {{ sputnik_ip }}
+	}
+}
+
+{% set sputnik_ip6 = (query('ldap', 'ip', 'sputnik', 'adm') | ipv6)[0] %}
+table ip6 nat {
+	chain prerouting {
+		type nat hook prerouting priority 0; policy accept;
+		ip6 daddr {{ sputnik_ip6 }} dnat to fd0c:700:0:8::2
+	}
+	chain postrouting {
+		type nat hook postrouting priority 100; policy accept;
+		ip6 saddr fd0c:700:0:8::2 ip6 nexthdr icmpv6 snat to {{ sputnik_ip6 }}
+		ip6 saddr fd0c:700:0:8::2 ip6 nexthdr tcp snat to {{ sputnik_ip6 }}
+		ip6 saddr fd0c:700:0:8::2 ip6 nexthdr udp snat to {{ sputnik_ip6 }}
 	}
 }
 
-- 
GitLab