diff options
| author | Asbjørn Sloth Tønnesen <asbjorn@labitat.dk> | 2021-06-18 21:41:49 +0000 | 
|---|---|---|
| committer | Emil Renner Berthing <esmil@labitat.dk> | 2021-06-19 11:08:04 +0200 | 
| commit | 23a84a3cfeac299ef34e422cdcd9ea3499376a90 (patch) | |
| tree | 7c1fee6d3af84e36b27699e814ace5471334fbf3 /roles/space_server/files/nftables.service | |
| parent | f72c04ecb33b1319b611da9df8296c597092c376 (diff) | |
| download | labitat-ansible-23a84a3cfeac299ef34e422cdcd9ea3499376a90.tar.gz labitat-ansible-23a84a3cfeac299ef34e422cdcd9ea3499376a90.tar.xz labitat-ansible-23a84a3cfeac299ef34e422cdcd9ea3499376a90.zip | |
space_server: nftables: colo: use dynamic reverse path filter
This patch changes the reverse path filtering of the labicolo VLAN
to take place in the prerouting hook, using the kernel routing
table, and removes the need to maintain a static prefix list.
Labicolo routes are exported to the kernel routing table by BIRD,
hence it should be sufficient to only have prefix lists there.
This change has been tested, and it's only possible to spoof
fellow labicolo members address space (same as before).
Esmil: prerouting before input/forward makes more sense to me
Diffstat (limited to 'roles/space_server/files/nftables.service')
0 files changed, 0 insertions, 0 deletions
