Use correct version for renamed purger

Also teach sunet-l4lb-namespace to load the nft ruleset if it exists.
While here modify the script so instead of running "once per netns
config file" we merge the interface config from each json file into the
same dict per namespace. Without this we would attempt to load the nft
ruleset twice (once per file that mentioned the namespace) or warn twice
if the file did not exist etc.

global/overlay/etc/puppet/modules/cdn/files/l4lb/sunet-l4lb-namespace

@@ -15,6 +15,7 @@ mypy --strict sunet-l4lb-namespace
 
 import ipaddress
 import json
+import os
 import shlex
 import subprocess
 import sys
@@ -142,6 +143,15 @@ def setup_namespaces(netns_data: dict[str, dict[str, dict[str, list[str]]]]) ->
             # Make localhost available
             run_command(f"ip netns exec {namespace} ip link set lo up")
 
+        # (Re)load the nft ruleset for the given namespace
+        nft_ruleset = f"/opt/sunet-cdn/l4lb/conf/nft-{namespace}.conf"
+        if os.path.isfile(nft_ruleset):
+            run_command(f"ip netns exec {namespace} nft -f {nft_ruleset}")
+        else:
+            print(
+                f"WARNING: no nft ruleset found for namespace '{namespace}' ({nft_ruleset}), the namespace will not be firewalled"  # pylint: disable=line-too-long
+            )
+
         configure_interfaces(namespace, if_data)
 
 
@@ -175,14 +185,24 @@ def main() -> None:
         "/opt/sunet-cdn/l4lb/conf/netns-sunet-cdn-agent.json",
     ]
 
+    merged_netns_data: dict[str, dict[str, dict[str, list[str]]]] = {}
     for input_file in input_files:
         try:
             with open(input_file, encoding="utf-8") as f:
                 netns_data = json.load(f)
+
+            # Combine interface config from multiple files belonging to the same namespace
+            for ns, ns_data in netns_data.items():
+                if ns in merged_netns_data:
+                    merged_netns_data[ns].update(ns_data)
+                else:
+                    merged_netns_data[ns] = ns_data
+
         except FileNotFoundError:
             print(f"skipping nonexistant file '{input_file}'")
             continue
-        setup_namespaces(netns_data)
+
+    setup_namespaces(merged_netns_data)
 
 
 if __name__ == "__main__":

global/overlay/etc/puppet/modules/cdn/manifests/cache.pp

@@ -3,7 +3,7 @@ class cdn::cache(
   Hash[String, Integer] $customers = {
     customer1 => 1000000000,
   },
-  String $sunet_cdnp_version = '0.0.7',
+  String $sunet_cdn_purger_version = '0.0.8',
   Hash[String, String] $acme_url = {
     test => 'https://internal-sto3-test-ca-1.cdn.sunet.se:9000/acme/acme/directory'
   },
@@ -155,51 +155,51 @@ class cdn::cache(
     creates => "/etc/letsencrypt/live/${my_fqdn}/fullchain.pem"
   }
 
-  $sunet_cdnp_dir = '/var/lib/sunet-cdnp'
+  $sunet_cdn_purger_dir = '/var/lib/sunet-cdn-purger'
-  $sunet_cdnp_file = "sunet-cdnp_${sunet_cdnp_version}_linux_${facts[os][architecture]}.tar.gz"
+  $sunet_cdn_purger_file = "sunet-cdn-purger_${sunet_cdn_purger_version}_linux_${facts[os][architecture]}.tar.gz"
-  $sunet_cdnp_url = "https://github.com/SUNET/sunet-cdnp/releases/download/v${sunet_cdnp_version}/${sunet_cdnp_file}"
+  $sunet_cdn_purger_url = "https://github.com/SUNET/sunet-cdn-purger/releases/download/v${sunet_cdn_purger_version}/${sunet_cdn_purger_file}"
   # Create directory for managing CDP purger
-  file { $sunet_cdnp_dir:
+  file { $sunet_cdn_purger_dir:
     ensure => directory,
     owner  => 'root',
     group  => 'root',
     mode   => '0755',
   }
 
-  exec { "curl -LO ${sunet_cdnp_url}":
+  exec { "curl -LO ${sunet_cdn_purger_url}":
-    creates => "${sunet_cdnp_dir}/${sunet_cdnp_file}",
+    creates => "${sunet_cdn_purger_dir}/${sunet_cdn_purger_file}",
-    cwd     => $sunet_cdnp_dir,
+    cwd     => $sunet_cdn_purger_dir,
-    notify  => Exec['extract sunet-cdnp'],
+    notify  => Exec['extract sunet-cdn-purger'],
   }
 
-  exec { 'extract sunet-cdnp':
+  exec { 'extract sunet-cdn-purger':
-    command     => "tar -xzf ${sunet_cdnp_file} sunet-cdnp",
+    command     => "tar -xzf ${sunet_cdn_purger_file} sunet-cdn-purger",
-    cwd         => $sunet_cdnp_dir,
+    cwd         => $sunet_cdn_purger_dir,
     refreshonly => true,
-    notify      => Service['sunet-cdnp'],
+    notify      => Service['sunet-cdn-purger'],
   }
 
-  file { "${sunet_cdnp_dir}/sunet-cdnp":
+  file { "${sunet_cdn_purger_dir}/sunet-cdn-purger":
     owner => 'root',
     group => 'root',
     mode  => '0755',
   }
 
-  file { '/usr/local/bin/sunet-cdnp':
+  file { '/usr/local/bin/sunet-cdn-purger':
     ensure => link,
-    target => "${sunet_cdnp_dir}/sunet-cdnp",
+    target => "${sunet_cdn_purger_dir}/sunet-cdn-purger",
   }
 
-  file { '/etc/systemd/system/sunet-cdnp.service':
+  file { '/etc/systemd/system/sunet-cdn-purger.service':
     ensure  => file,
     owner   => 'root',
     group   => 'root',
     mode    => '0644',
-    content => template('cdn/cache/sunet-cdnp.service.erb'),
+    content => template('cdn/cache/sunet-cdn-purger.service.erb'),
     notify  => [Class['sunet::systemd_reload']],
   }
 
-  service { 'sunet-cdnp':
+  service { 'sunet-cdn-purger':
     ensure => 'running',
     enable => true,
   }

global/overlay/etc/puppet/modules/cdn/manifests/l4lb.pp

@@ -64,6 +64,14 @@ class cdn::l4lb(
     content => template('cdn/l4lb/netns-base.json.erb'),
   }
 
+  file { '/opt/sunet-cdn/l4lb/conf/nft-l4lb.conf':
+    ensure  => file,
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0644',
+    content => template('cdn/l4lb/nft-l4lb.conf.erb'),
+  }
+
   file { '/usr/local/bin/sunet-l4lb-namespace':
     ensure  => file,
     owner   => 'root',

global/overlay/etc/puppet/modules/cdn/templates/cache/sunet-cdn-purger.service.erb

@@ -6,7 +6,7 @@ After=docker.service
 
 [Service]
 Type=simple
-ExecStart=/usr/local/bin/sunet-cdnp \
+ExecStart=/usr/local/bin/sunet-cdn-purger \
   -mqtt-ca-file /usr/local/share/ca-certificates/step_ca_root.crt \
   -mqtt-client-key-file /etc/letsencrypt/live/<%= @networking['fqdn'] %>/privkey.pem \
   -mqtt-client-cert-file /etc/letsencrypt/live/<%= @networking['fqdn'] %>/fullchain.pem \

global/overlay/etc/puppet/modules/cdn/templates/l4lb/nft-l4lb.conf.erb

@@ -0,0 +1,40 @@
+#!/usr/sbin/nft -f
+
+flush ruleset
+
+table inet filter {
+        chain input {
+                type filter hook input priority 0; policy drop;
+
+                # accept any localhost traffic
+                iif lo counter accept
+
+                # accept icmp
+                ip protocol icmp counter accept
+                ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded,
+                                                 parameter-problem, echo-request, mld-listener-query,
+                                                 nd-router-solicit, nd-router-advert, nd-neighbor-solicit,
+                                                 nd-neighbor-advert } counter accept
+
+                # accept traffic originated from us
+                ct state established counter accept
+                # silently drop invalid packets
+                ct state invalid counter drop
+        }
+        chain forward {
+                type filter hook forward priority 0; policy drop;
+        }
+        chain output {
+                type filter hook output priority 0;
+        }
+}
+
+# HTTP and HTTPS
+add rule inet filter input tcp dport 80 counter accept comment "l4lb HTTP"
+add rule inet filter input tcp dport 443 counter accept comment "l4lb HTTPS"
+
+# BGP
+add rule inet filter input ip saddr { 130.242.64.232 } tcp dport 179 counter accept comment "tug-r11-v4"
+add rule inet filter input ip saddr { 130.242.64.234 } tcp dport 179 counter accept comment "tug-r12-v4"
+add rule inet filter input ip6 saddr { 2001:6b0:2006:74:: } tcp dport 179 counter accept comment "tug-r11-v6"
+add rule inet filter input ip6 saddr { 2001:6b0:2006:75:: } tcp dport 179 counter accept comment "tug-r12-v6"