Change osbuildapi set table to the ip filter table.

Signed-off-by: James Antill <james@and.org>
2025-03-03 17:08:20 -05:00 · 2025-03-03 17:08:20 -05:00 · ca18224faa
commit ca18224faa
parent 224d98cbb0
2 changed files with 4 additions and 5 deletions
--- a/roles/base/templates/nftables/nftables.kojibuilder
+++ b/roles/base/templates/nftables/nftables.kojibuilder
@ -32,8 +32,7 @@ add rule ip filter INPUT ip saddr {{ ip }} counter drop
 #!# WARNING: This is very different...
 # -A OUTPUT -p tcp --dport 443 -m set --match-set osbuildapi dst -j ACCEPT

-add table inet global
-add set inet global osbuildapi { type ipv4_addr ; size 65536; }
+add set  ip filter osbuildapi { type ipv4_addr ; size 65536; }

 add rule ip filter OUTPUT tcp dport 443 ip daddr @osbuildapi accept

--- a/roles/koji_builder/templates/osbuildapi-update-nft.sh
+++ b/roles/koji_builder/templates/osbuildapi-update-nft.sh
@ -20,15 +20,15 @@ NEWIDENTITYIPS=`echo "$RESOLVEQUERY" | grep link | sed -E 's/.* ([0-9]+\.[0-9]+\
 # Empty the filter: We do this at the end for a small window.`
 # NOTE: We aren't flushing old entries anymore.
 # See commit: e7b50aaee469fdded0ea650c7e7f4dd06e929609
-# nft flush set global osbuildapi
+# nft flush set ip filter osbuildapi

 # Add the IPs...
 for j in $NEWIPS
 do
-     nft add element ip global osbuildapi { $j }
+     nft add element ip filter osbuildapi { $j }
 done

 for j in $NEWIDENTITYIPS
 do
-     nft add element ip global osbuildapi { $j }
+     nft add element ip filter osbuildapi { $j }
 done