From 842b3f0ac7808498a0e31b9d9fd7f4c2a76bc5eb Mon Sep 17 00:00:00 2001
From: Giulio De Pasquale <git@depasquale.giugl.io>
Date: Mon, 5 Jun 2023 04:43:07 +0200
Subject: [PATCH] firewall: give docker more freedom

---
 hosts/architect/firewall.nix | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/hosts/architect/firewall.nix b/hosts/architect/firewall.nix
index 3194b36..255f46f 100644
--- a/hosts/architect/firewall.nix
+++ b/hosts/architect/firewall.nix
@@ -54,6 +54,9 @@ in
         }
 
         table ip nat {
+          chain DOCKER {
+            type nat hook prerouting priority dstnat; policy accept;
+          }
           chain PREROUTING {
             type nat hook prerouting priority dstnat; policy accept;
           }
@@ -142,6 +145,7 @@ in
             ip daddr 255.255.255.255 accept comment "allow broadcast traffic"
             ip daddr 224.0.0.0/4 accept comment "allow multicast traffic"
             ip saddr ${lan.net} accept comment "lan > local"
+            iifname ${docker.interface} accept
             ip saddr ${tailscale.net} accept comment "tailscale > local"
             ip saddr {${lib.concatStringsSep "," gdevices}} accept comment "vpn > local"
 
@@ -151,7 +155,6 @@ in
             iifname ${wireguard.interface} udp dport {${openUDPVPN}} accept
                       
             iifname ${wireguard.interface} icmp type echo-request accept
-            iifname ${docker.interface} udp dport 53 accept
             jump filter_drop
           }