CCCHH/ansible-infra
CCCHH/ansible-infra
3
2
Fork 2
Code Issues 7 Pull requests 3 Wiki Activity Actions

router(host): expose public v6 networks

Browse source 
Also prepare for exposing public v4 networks later.
This commit is contained in:
June 2025-12-16 19:03:36 +01:00
commit 5f98dca56c
Signed by: june
SSH key fingerprint: SHA256:o9EAq4Y9N9K0pBQeBTqhSDrND5E7oB+60ZNx0U1yPe0
1 changed files with 6 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

6
resources/chaosknoten/router/nftables/nftables.conf
View file

@ -13,6 +13,8 @@ define wan_ifs = { $if_net1_v4_wan,
$if_net2_v6_wan } $if_net2_v6_wan }
define lan_ifs = { $if_net0_2_v4_nat, define lan_ifs = { $if_net0_2_v4_nat,
$if_net0_3_ci_runner } $if_net0_3_ci_runner }
# define v4_exposed_ifs = { }
define v6_exposed_ifs = { $if_net0_2_v4_nat }
## Rules ## Rules
@ -69,5 +71,9 @@ table inet forward {
# Allow internet access. # Allow internet access.
meta nfproto ipv6 iifname $lan_ifs oifname $if_net2_v6_wan accept comment "allow v6 internet access" meta nfproto ipv6 iifname $lan_ifs oifname $if_net2_v6_wan accept comment "allow v6 internet access"
meta nfproto ipv4 iifname $lan_ifs oifname $if_net1_v4_wan accept comment "allow v4 internet access" meta nfproto ipv4 iifname $lan_ifs oifname $if_net1_v4_wan accept comment "allow v4 internet access"
# Allow access to exposed networks from internet.
# meta nfproto ipv4 oifname $v4_exposed_ifs accept comment "allow v4 exposed network access"
meta nfproto ipv6 oifname $v6_exposed_ifs accept comment "allow v6 exposed network access"
} }
} }