ceph: fix nftables management rule

The mgmt VRF might not exist yet when nftables rules are loaded, so use iifname instead of iif for dynamic interface lookup.
2024-05-09 12:18:47 +02:00 · 2024-05-09 12:18:47 +02:00 · 5762236ac2
commit 5762236ac2
parent 5a7fa02909
1 changed files with 2 additions and 2 deletions
--- a/roles/ceph/templates/nftables.conf.j2
+++ b/roles/ceph/templates/nftables.conf.j2
@ -46,8 +46,6 @@ table inet filter {
        iif lan0 ip6 saddr fe80::/64 accept
        iif lan1 ip6 saddr fe80::/64 accept

-        iif mgmt accept comment "management access"
-
        ip saddr @cluster accept comment "accept connections from other nodes"
        ip6 saddr @cluster/6 accept comment "accept connections from other nodes"

@ -66,6 +64,8 @@ table inet filter {

 {% endfor %}

+        iifname mgmt accept comment "management access"
+
        ip saddr @allowed accept
        ip6 saddr @allowed/6 accept
    }