From c395fe22c7d0b63cb11c47f3792c70b72772bf2f Mon Sep 17 00:00:00 2001
From: Timotej Lazar <timotej.lazar@fri.uni-lj.si>
Date: Wed, 17 Jan 2024 19:19:55 +0100
Subject: [PATCH] ceph: allow connections from more addresses

Should unhardcode this at some point.
---
 roles/ceph/templates/nftables.conf.j2 | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/roles/ceph/templates/nftables.conf.j2 b/roles/ceph/templates/nftables.conf.j2
index 1f4044d..31c3419 100644
--- a/roles/ceph/templates/nftables.conf.j2
+++ b/roles/ceph/templates/nftables.conf.j2
@@ -5,9 +5,13 @@ flush ruleset
 # Just a temporary filter until we get our shit together policy-wise.
 table inet filter {
     set allowed {
-        type ipv4_addr
-        flags interval
-        elements = { 10.32.0.0/14, 193.2.76.176/24, 192.168.19.0/24, 192.168.251.0/24 }
+        type ipv4_addr; flags interval
+        elements = { 10.32.0.0/14, 193.2.76.176/24, 192.168.19.0/24, 192.168.251.0/24, 88.200.23.0/24 }
+    }
+
+    set allowed/6 {
+        type ipv6_addr; flags interval
+        elements = { 2001:1470:fffd::/48 }
     }
 
     chain input {
@@ -21,6 +25,7 @@ table inet filter {
         iif lan1 ip6 saddr fe80::/64 accept
 
         ip saddr @allowed accept
+        ip6 saddr @allowed/6 accept
     }
 
     chain forward {