Infrastructure/ansible
1
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages Wiki Activity Actions

Change osbuildapi set table to the ip filter table.

Browse source 
Signed-off-by: James Antill <james@and.org>
This commit is contained in:
James Antill 2025-03-03 17:08:20 -05:00
parent 224d98cbb0
commit ca18224faa
2 changed files with 4 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

3
roles/base/templates/nftables/nftables.kojibuilder
View file

@ -32,8 +32,7 @@ add rule ip filter INPUT ip saddr {{ ip }} counter drop
#!# WARNING: This is very different... #!# WARNING: This is very different...
# -A OUTPUT -p tcp --dport 443 -m set --match-set osbuildapi dst -j ACCEPT # -A OUTPUT -p tcp --dport 443 -m set --match-set osbuildapi dst -j ACCEPT
add table inet global add set ip filter osbuildapi { type ipv4_addr ; size 65536; }
add set inet global osbuildapi { type ipv4_addr ; size 65536; }
add rule ip filter OUTPUT tcp dport 443 ip daddr @osbuildapi accept add rule ip filter OUTPUT tcp dport 443 ip daddr @osbuildapi accept

6
roles/koji_builder/templates/osbuildapi-update-nft.sh
View file

@ -20,15 +20,15 @@ NEWIDENTITYIPS=`echo "$RESOLVEQUERY" | grep link | sed -E 's/.* ([0-9]+\.[0-9]+\
# Empty the filter: We do this at the end for a small window.` # Empty the filter: We do this at the end for a small window.`
# NOTE: We aren't flushing old entries anymore. # NOTE: We aren't flushing old entries anymore.
# See commit: e7b50aaee469fdded0ea650c7e7f4dd06e929609 # See commit: e7b50aaee469fdded0ea650c7e7f4dd06e929609
# nft flush set global osbuildapi # nft flush set ip filter osbuildapi
# Add the IPs... # Add the IPs...
for j in $NEWIPS for j in $NEWIPS
do do
nft add element ip global osbuildapi { $j } nft add element ip filter osbuildapi { $j }
done done
for j in $NEWIDENTITYIPS for j in $NEWIDENTITYIPS
do do
nft add element ip global osbuildapi { $j } nft add element ip filter osbuildapi { $j }
done done