From 25228c1d14a06d4ea5dedfc893a9f08cc4cfb4f3 Mon Sep 17 00:00:00 2001 From: Kasumi Hanazuki Date: Tue, 8 Apr 2025 10:23:53 +0000 Subject: [PATCH] plat: NAT64'd private traffic follow BGP best path --- itamae/roles/plat/templates/etc/bird/bird.conf.d/plat.conf | 5 +---- itamae/roles/plat/templates/etc/nftables/plat.conf | 4 ++++ 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/itamae/roles/plat/templates/etc/bird/bird.conf.d/plat.conf b/itamae/roles/plat/templates/etc/bird/bird.conf.d/plat.conf index cf816c4..472abd4 100644 --- a/itamae/roles/plat/templates/etc/bird/bird.conf.d/plat.conf +++ b/itamae/roles/plat/templates/etc/bird/bird.conf.d/plat.conf @@ -142,10 +142,7 @@ protocol bgp bgp_outside { ipv4 { table bgp4; - import filter { - if net = 0.0.0.0/0 then accept; - reject; - }; + import all; export filter { if dest = RTD_UNREACHABLE then reject; # static recursive route can be RTD_UNREACHABLE when unresolvable if net = <%= node.dig(:plat, :nat64).fetch(:outer_public) %>/32 then accept; diff --git a/itamae/roles/plat/templates/etc/nftables/plat.conf b/itamae/roles/plat/templates/etc/nftables/plat.conf index bc23b63..f26f784 100644 --- a/itamae/roles/plat/templates/etc/nftables/plat.conf +++ b/itamae/roles/plat/templates/etc/nftables/plat.conf @@ -107,6 +107,8 @@ table inet plat { } chain forward-xlat2inside { + ip saddr $nat64_outer accept + ct state invalid,new,untracked counter counter drop ip6 saddr { $pref64n, 2001:df0:8500:ca6d::/64 } counter accept @@ -114,6 +116,8 @@ table inet plat { } chain forward-inside2xlat { + ip daddr $nat64_outer accept + meta l4proto tcp ct state invalid,untracked counter reject with tcp reset ct state invalid,untracked counter drop