aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAsbjørn Sloth Tønnesen <asbjorn@labitat.dk>2021-06-18 21:55:27 +0000
committerAsbjørn Sloth Tønnesen <asbjorn@labitat.dk>2021-06-18 22:40:15 +0000
commit2240d5ee65c26df076979353d2a1e5cc38a59d1f (patch)
treef293b3420ff4347e67d07b65d013503c57d77135
parentff7bfb2fbfa64a4763294b067c984c4b05244821 (diff)
downloadlabitat-ansible-2240d5ee65c26df076979353d2a1e5cc38a59d1f.tar.gz
labitat-ansible-2240d5ee65c26df076979353d2a1e5cc38a59d1f.tar.xz
labitat-ansible-2240d5ee65c26df076979353d2a1e5cc38a59d1f.zip
space_server: nftables: colo: accept BGP connectionsrouting-changes
Until now BGP connections have only been established when the space server has initiated the connection to the peer. It's best practice for both BGP speakers to be able to connect to one another, lowering recovery time.
-rw-r--r--roles/space_server/files/nftables.conf6
1 files changed, 6 insertions, 0 deletions
diff --git a/roles/space_server/files/nftables.conf b/roles/space_server/files/nftables.conf
index f29c274..2cd170b 100644
--- a/roles/space_server/files/nftables.conf
+++ b/roles/space_server/files/nftables.conf
@@ -69,6 +69,9 @@ table ip filter {
# bird etc. on fiberby link
iif $ext_if ip saddr $link_net4 ip daddr $link_net4 counter accept
+ # bgp
+ iif $colo_if tcp dport bgp accept
+
# dhcp
udp sport bootpc udp dport bootps iif != $ext_if counter accept
@@ -166,6 +169,9 @@ table ip6 filter {
# bird etc. on fiberby link
iif $ext_if ip6 saddr $link_net6 ip6 daddr $link_net6 counter accept
+ # bgp
+ iif $colo_if tcp dport bgp accept
+
# tftp
iif $wire_if ip6 saddr $wire_net6 udp dport 69 accept