cdn-ops/global/overlay/etc/puppet/modules/cdn/templates/l4lb/nft-l4lb.conf.erb

#!/usr/sbin/nft -f

flush ruleset

table inet filter {
        chain input {
                type filter hook input priority 0; policy drop;

                # accept any localhost traffic
                iif lo counter accept

                # accept icmp
                ip protocol icmp counter accept
                ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded,
                                                 parameter-problem, echo-request, mld-listener-query,
                                                 nd-router-solicit, nd-router-advert, nd-neighbor-solicit,
                                                 nd-neighbor-advert } counter accept

                # accept traffic originated from us
                ct state established counter accept
                # silently drop invalid packets
                ct state invalid counter drop
        }
        chain forward {
                type filter hook forward priority 0; policy drop;
        }
        chain output {
                type filter hook output priority 0;
        }
}

# HTTP and HTTPS
add rule inet filter input tcp dport 80 counter accept comment "l4lb HTTP"
add rule inet filter input tcp dport 443 counter accept comment "l4lb HTTPS"

# BGP
add rule inet filter input ip saddr { 130.242.64.232 } tcp dport 179 counter accept comment "tug-r11-v4"
add rule inet filter input ip saddr { 130.242.64.234 } tcp dport 179 counter accept comment "tug-r12-v4"
add rule inet filter input ip6 saddr { 2001:6b0:2006:74:: } tcp dport 179 counter accept comment "tug-r11-v6"
add rule inet filter input ip6 saddr { 2001:6b0:2006:75:: } tcp dport 179 counter accept comment "tug-r12-v6"