From 0b3e9c48ff72cef97c6a8fc5cb35438c839fb71a Mon Sep 17 00:00:00 2001
From: Patrik Lundin <patlu@sunet.se>
Date: Tue, 29 Oct 2024 14:21:34 +0100
Subject: [PATCH] Add nftables rule for ip6tnl packets

---
 global/overlay/etc/puppet/modules/cdn/manifests/cache.pp | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/global/overlay/etc/puppet/modules/cdn/manifests/cache.pp b/global/overlay/etc/puppet/modules/cdn/manifests/cache.pp
index bb64cf3..2a4af46 100644
--- a/global/overlay/etc/puppet/modules/cdn/manifests/cache.pp
+++ b/global/overlay/etc/puppet/modules/cdn/manifests/cache.pp
@@ -91,11 +91,16 @@ class cdn::cache(
     refreshonly => true,
   }
 
-  # Allow tunnel packets arriving from l4lb nodes
+  # Allow IPv4 tunnel packets arriving from l4lb nodes
   sunet::nftables::rule { 'sunet_cdn_tunnel4':
     rule => 'add rule inet filter input ip saddr { 130.242.64.233, 130.242.64.235 } ip protocol ipencap counter accept comment "sunet-cdn-tunnel4"'
   }
 
+  # Allow IPv6 tunnel packets arriving from l4lb nodes
+  sunet::nftables::rule { 'sunet_cdn_tunnel4':
+    rule => 'add rule inet filter input ip6 saddr { 2001:6b0:2006:74::1, 2001:6b0:2006:75::1 } ip6 nexthdr ipv6 counter accept comment "sunet-cdn-tunnel6"'
+  }
+
   # Allow decapsulated tunnel packets targeting the service IP range to reach
   # local service ports
   sunet::nftables::rule { 'sunet_cdn_service4':