diff options
author | Asbjørn Sloth Tønnesen <asbjorn@labitat.dk> | 2021-06-18 21:55:27 +0000 |
---|---|---|
committer | Asbjørn Sloth Tønnesen <asbjorn@labitat.dk> | 2021-06-18 22:40:15 +0000 |
commit | 2240d5ee65c26df076979353d2a1e5cc38a59d1f (patch) | |
tree | f293b3420ff4347e67d07b65d013503c57d77135 /roles/space_server/files | |
parent | ff7bfb2fbfa64a4763294b067c984c4b05244821 (diff) | |
download | labitat-ansible-2240d5ee65c26df076979353d2a1e5cc38a59d1f.tar.gz labitat-ansible-2240d5ee65c26df076979353d2a1e5cc38a59d1f.tar.xz labitat-ansible-2240d5ee65c26df076979353d2a1e5cc38a59d1f.zip |
space_server: nftables: colo: accept BGP connectionsrouting-changes
Until now BGP connections have only been established
when the space server has initiated the connection to
the peer.
It's best practice for both BGP speakers to be able to
connect to one another, lowering recovery time.
Diffstat (limited to 'roles/space_server/files')
-rw-r--r-- | roles/space_server/files/nftables.conf | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/roles/space_server/files/nftables.conf b/roles/space_server/files/nftables.conf index f29c274..2cd170b 100644 --- a/roles/space_server/files/nftables.conf +++ b/roles/space_server/files/nftables.conf @@ -69,6 +69,9 @@ table ip filter { # bird etc. on fiberby link iif $ext_if ip saddr $link_net4 ip daddr $link_net4 counter accept + # bgp + iif $colo_if tcp dport bgp accept + # dhcp udp sport bootpc udp dport bootps iif != $ext_if counter accept @@ -166,6 +169,9 @@ table ip6 filter { # bird etc. on fiberby link iif $ext_if ip6 saddr $link_net6 ip6 daddr $link_net6 counter accept + # bgp + iif $colo_if tcp dport bgp accept + # tftp iif $wire_if ip6 saddr $wire_net6 udp dport 69 accept |