sunet-cdn/cdn-ops
2
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

Add nftables rule for ip6tnl packets

Browse source
This commit is contained in:
Patrik Lundin 2024-10-29 14:21:34 +01:00
parent bd055b1ac8
commit 0b3e9c48ff
Signed by: patlu
GPG key ID: A0A812BA2249F294
1 changed files with 6 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
global/overlay/etc/puppet/modules/cdn/manifests/cache.pp
View file

@ -91,11 +91,16 @@ class cdn::cache(
refreshonly => true, refreshonly => true,
} }
# Allow tunnel packets arriving from l4lb nodes # Allow IPv4 tunnel packets arriving from l4lb nodes
sunet::nftables::rule { 'sunet_cdn_tunnel4': sunet::nftables::rule { 'sunet_cdn_tunnel4':
rule => 'add rule inet filter input ip saddr { 130.242.64.233, 130.242.64.235 } ip protocol ipencap counter accept comment "sunet-cdn-tunnel4"' rule => 'add rule inet filter input ip saddr { 130.242.64.233, 130.242.64.235 } ip protocol ipencap counter accept comment "sunet-cdn-tunnel4"'
} }
# Allow IPv6 tunnel packets arriving from l4lb nodes
sunet::nftables::rule { 'sunet_cdn_tunnel4':
rule => 'add rule inet filter input ip6 saddr { 2001:6b0:2006:74::1, 2001:6b0:2006:75::1 } ip6 nexthdr ipv6 counter accept comment "sunet-cdn-tunnel6"'
}
# Allow decapsulated tunnel packets targeting the service IP range to reach # Allow decapsulated tunnel packets targeting the service IP range to reach
# local service ports # local service ports
sunet::nftables::rule { 'sunet_cdn_service4': sunet::nftables::rule { 'sunet_cdn_service4':