rc/network
2
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

firewall: reload nftables in mgmt VRF

Browse source 
It doesn’t matter for the rules themselves as nft does not do VRFs,
but DNS names can only be resolved there. This is because all nodes
use the same IPs in the default VRF, so DNS replies sent from there go
to the active node.

This allows using DNS names in firewall rules. Not yet sure if that is
actually a good idea.
This commit is contained in:
Timotej Lazar 2024-08-19 13:54:01 +02:00
parent 5032d1ac84
commit c3ff39fe72
1 changed files with 1 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
roles/firewall/files/update
View file

@ -4,7 +4,7 @@ set -e
apply() {
cp -R /opt/config/etc/nftables.d /etc || return 1
nft -I /etc/nftables.d -f /etc/nftables.nft || return 2
ip vrf exec mgmt nft -I /etc/nftables.d -f /etc/nftables.nft || return 2
cp -R /opt/config/etc/wireguard /etc || return 3
wg syncconf wg /etc/wireguard/wg.conf || return 4
}