1 files changed, 12 insertions, 15 deletions

diff --git a/modules/router.nix b/modules/router.nix
index 8267967..81c8c86 100644
--- a/modules/router.nix
+++ b/modules/router.nix
@@ -159,9 +159,6 @@ let
     };
 
     networking.firewall.enable = false;
-    systemd.services.nftables.before = mkForce ["network.target"];
-    systemd.services.nftables.after = ["kjlan-netdev.service" "he0.service"];
-    systemd.services.nftables.wantedBy = mkForce ["network.target"];
     networking.nftables.enable = true;
     networking.nftables.ruleset =
       let
@@ -177,7 +174,7 @@ let
         table inet filter {
           chain input {
             type filter hook input priority 0
-            iif lo accept
+            iifname lo accept
 
             ct state {established, related} counter accept
             meta l4proto {tcp, udp} th dport {bootps, bootpc, domain, dhcpv6-client, dhcpv6-server} counter accept
@@ -187,7 +184,7 @@ let
 
             ip6 nexthdr ipv6-icmp counter accept comment "accept all ICMP types"
 
-            iif wan-vport counter drop
+            iifname wan-vport counter drop
             meta nftrace set 1
             counter drop
           }
@@ -204,13 +201,13 @@ let
             ip6 nexthdr ipv6-icmp limit rate 4/second counter accept comment "accept all ICMP types"
 
             ct state vmap { established : accept, related : accept, invalid : drop }
-            oif he0 counter accept
-            oif wan-vport counter accept
-            oif mullvad counter accept
+            oifname he0 counter accept
+            oifname wan-vport counter accept
+            oifname mullvad counter accept
 
-            oif servers-vport meta l4proto {tcp, udp} th dport $SERVER_WAN_PORTS counter accept
-            iif lan-vport oif servers-vport meta l4proto {tcp, udp} th dport $SERVER_LAN_PORTS counter accept
-            iif servers-vport counter accept
+            oifname servers-vport meta l4proto {tcp, udp} th dport $SERVER_WAN_PORTS counter accept
+            iifname lan-vport oifname servers-vport meta l4proto {tcp, udp} th dport $SERVER_LAN_PORTS counter accept
+            iifname servers-vport counter accept
 
             counter drop
           }
@@ -221,19 +218,19 @@ let
             type filter hook prerouting priority -150
             # ip6 saddr 2001:470:8e2e::/48 ip6 daddr != 2001:470:8e2e::/48 ip6 daddr != fe80::/64 meta nftrace set 1
             ip6 saddr 2001:470:8e2e::/48 ip6 daddr != 2001:470:8e2e::/48 ip6 daddr != fe80::/64 meta mark set ${toString heMark}
-            iif vpnlan-vport meta mark set ${toString mullvadMark}
+            iifname vpnlan-vport meta mark set ${toString mullvadMark}
           }
         }
 
         table ip nat {
           chain prerouting {
             type nat hook prerouting priority -100; policy accept
-            iif wan-vport tcp dport $SERVER_WAN_PORTS dnat to 172.20.20.2
+            iifname wan-vport tcp dport $SERVER_WAN_PORTS dnat to 172.20.20.2
           }
           chain postrouting {
             type nat hook postrouting priority 100; policy accept
-            ip saddr 172.16.0.0/12 oif {"wan-vport"} masquerade
-            ip saddr 172.16.0.0/12 oif {"mullvad"} masquerade
+            ip saddr 172.16.0.0/12 oifname {"wan-vport"} masquerade
+            ip saddr 172.16.0.0/12 oifname {"mullvad"} masquerade
           }
         }
       '';