ceph: fix nftables management rule
The mgmt VRF might not exist yet when nftables rules are loaded, so use iifname instead of iif for dynamic interface lookup.
This commit is contained in:
parent
5a7fa02909
commit
5762236ac2
|
@ -46,8 +46,6 @@ table inet filter {
|
||||||
iif lan0 ip6 saddr fe80::/64 accept
|
iif lan0 ip6 saddr fe80::/64 accept
|
||||||
iif lan1 ip6 saddr fe80::/64 accept
|
iif lan1 ip6 saddr fe80::/64 accept
|
||||||
|
|
||||||
iif mgmt accept comment "management access"
|
|
||||||
|
|
||||||
ip saddr @cluster accept comment "accept connections from other nodes"
|
ip saddr @cluster accept comment "accept connections from other nodes"
|
||||||
ip6 saddr @cluster/6 accept comment "accept connections from other nodes"
|
ip6 saddr @cluster/6 accept comment "accept connections from other nodes"
|
||||||
|
|
||||||
|
@ -66,6 +64,8 @@ table inet filter {
|
||||||
|
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
|
||||||
|
iifname mgmt accept comment "management access"
|
||||||
|
|
||||||
ip saddr @allowed accept
|
ip saddr @allowed accept
|
||||||
ip6 saddr @allowed/6 accept
|
ip6 saddr @allowed/6 accept
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue