From 9079823683da43b4b4068f84f6d88f821e961a92 Mon Sep 17 00:00:00 2001
From: Adar Nimrod <nimrod@shore.co.il>
Date: Sat, 2 Jan 2016 20:14:09 +0200
Subject: [PATCH] Added a service to enable IP masquerading (NAT) because
 nspawn on Debian isn't compiled with support for that.

---
 files/nspawn-nat.service | 15 +++++++++++++++
 tasks/main.yml           |  8 ++++++++
 2 files changed, 23 insertions(+)
 create mode 100644 files/nspawn-nat.service

diff --git a/files/nspawn-nat.service b/files/nspawn-nat.service
new file mode 100644
index 0000000..df2058c
--- /dev/null
+++ b/files/nspawn-nat.service
@@ -0,0 +1,15 @@
+[Unit]
+Description="Enable NAT on nspawn bridge due to Debian bug #787480."
+Requires=systemd-networkd
+After=systemd-networkd
+After=ufw
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+Environment=network="192.168.123.0/24"
+ExecStart=/sbin/iptables -w -t nat -A POSTROUTING -s "$network" ! -d "$network" -j MASQUERADE
+ExecStop=/sbin/iptables -w -t nat -D POSTROUTING -s 192.168.123.0/24 ! -d 192.168.123.0/24 -j MASQUERADE
+
+[Install]
+WantedBy=network.target
diff --git a/tasks/main.yml b/tasks/main.yml
index 0c0efa7..b4ef326 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -44,6 +44,14 @@
     group: root
     mode: '0644'
 
+- name: Add NAT workaround for Debian bug #787480
+  copy:
+    src: nspawn-nat.service
+    dest: /etc/systemd/system/nspawn-nat.service
+    owner: root
+    group: root
+    mode: '0644'
+
 - name: Disable networking service, enable systemd-networkd
   with_items:
   - name: systemd-resolved
-- 
GitLab