sunet-cdn/cdn-ops
2
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

cache: initial rules to allow traffic from l4lb

Browse source
This commit is contained in:
Patrik Lundin 2024-10-13 14:28:50 +02:00
parent 4bf6b2d79b
commit b018c81f81
Signed by: patlu
GPG key ID: A0A812BA2249F294
1 changed files with 11 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
global/overlay/etc/puppet/modules/cdn/manifests/cache.pp
View file

@ -91,6 +91,17 @@ class cdn::cache(
refreshonly => true,
}
# Allow tunnel packets arriving from l4lb nodes
sunet::nftables::rule { 'sunet_cdn_tunnel4':
rule => 'add rule inet filter input ip saddr { 130.242.64.233, 130.242.64.235 } ip protocol ipencap counter accept comment "sunet-cdn-tunnel4"'
}
# Allow decapsulated tunnel packets targeting the service IP range to reach
# local service ports
sunet::nftables::rule { 'sunet_cdn_tunnel4':
rule => 'add rule inet filter input meta iifname tunl0 ip daddr 188.240.152.0/24 tcp dport { 80, 443 } counter accept comment "sunet-cdn-service4'
}
if $cache_secrets {
$customers.each |String $customer, Integer $customer_uid| {
if $cache_secrets['customers'][$customer] {