feat: enable mdns forward

hosts/nucnix/forwarding.nix

@@ -83,12 +83,25 @@ mkMerge [
     protocol = "udp";
   })
   {
-    networking.nftables.chains.prerouting.mdns-forward = {
+    networking.nftables.ruleset = ''
-      after = [ "hook" ];
+      table ip mdns {
-      rules = [
+        chain prerouting {
-        # "iifname lan-home ip daddr 224.0.0.251 ip saddr set ${net.cidr.host 1 globals.net.vlans.services.cidrv4} dup to 224.0.0.251 device lan-services notrack"
+            type filter hook prerouting priority mangle; policy accept;
-        # "iifname lan-services ip daddr 224.0.0.251 ip saddr set ${net.cidr.host 1 globals.net.vlans.home.cidrv4} dup to 224.0.0.251 device lan-home notrack"
+
-      ];
+            iifname {lan-home, lan-services} ip daddr 224.0.0.251 meta mark 0xa5f3 jump mdns-saddr
-    };
+            iifname {lan-home, lan-services} ip daddr 224.0.0.251 meta mark != 0xa5f3 jump mdns
+        }
+        chain mdns {
+            meta mark set 0xa5f3
+            iifname lan-services dup to 224.0.0.251 device lan-home
+            iifname lan-home dup to 224.0.0.251 device lan-services
+        }
+        chain mdns-saddr {
+            # repeat mDNS from IoT to main
+            iifname lan-services ip saddr set 10.99.20.1
+            iifname lan-home ip saddr set 10.99.10.1
+        }
+      }
+    '';
   }
 ]

hosts/nucnix/net.nix

@@ -136,7 +136,10 @@ in
     snippets.nnf-ssh.enable = lib.mkForce false;
     rules = {
       mdns = {
-        from = [ "home" ];
+        from = [
+          "home"
+          "services"
+        ];
         to = [ "local" ];
         allowedUDPPorts = [ 5353 ];
       };