From b018c81f81ce2d9d40f2ea8dd4d564bb027888e2 Mon Sep 17 00:00:00 2001
From: Patrik Lundin <patlu@sunet.se>
Date: Sun, 13 Oct 2024 14:28:50 +0200
Subject: [PATCH] cache: initial rules to allow traffic from l4lb

---
 .../overlay/etc/puppet/modules/cdn/manifests/cache.pp | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/global/overlay/etc/puppet/modules/cdn/manifests/cache.pp b/global/overlay/etc/puppet/modules/cdn/manifests/cache.pp
index 2104623..1aeeb7c 100644
--- a/global/overlay/etc/puppet/modules/cdn/manifests/cache.pp
+++ b/global/overlay/etc/puppet/modules/cdn/manifests/cache.pp
@@ -91,6 +91,17 @@ class cdn::cache(
     refreshonly => true,
   }
 
+  # Allow tunnel packets arriving from l4lb nodes
+  sunet::nftables::rule { 'sunet_cdn_tunnel4':
+    rule => 'add rule inet filter input ip saddr { 130.242.64.233, 130.242.64.235 } ip protocol ipencap counter accept comment "sunet-cdn-tunnel4"'
+  }
+
+  # Allow decapsulated tunnel packets targeting the service IP range to reach
+  # local service ports
+  sunet::nftables::rule { 'sunet_cdn_tunnel4':
+    rule => 'add rule inet filter input meta iifname tunl0 ip daddr 188.240.152.0/24 tcp dport { 80, 443 } counter accept comment "sunet-cdn-service4'
+  }
+
   if $cache_secrets {
     $customers.each |String $customer, Integer $customer_uid| {
       if $cache_secrets['customers'][$customer] {