Skip to content

Commit 2a5ecf3

Browse files
edipascaleedipascale
committed
fix: add blanket ACL for fabric IP ranges
similar to what we do in the hardware external right now, to avoid peering VPCs at the external Signed-off-by: Emanuele Di Pascale <[email protected]>
1 parent bdd16f5 commit 2a5ecf3

File tree

1 file changed

+2
-0
lines changed

1 file changed

+2
-0
lines changed

pkg/hhfab/vlab_external_butane.tmpl.yaml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -293,6 +293,8 @@ systemd:
293293
ExecStart=/usr/bin/iptables -t nat -A POSTROUTING -o enp2s0 -j MASQUERADE
294294
295295
# Forward rules in DOCKER-USER chain
296+
# Drop all traffic with both source and destination in the fabric IP range, that is, 10.0.0.0/8. TODO: make this configurable
297+
ExecStart=/usr/bin/iptables -I DOCKER-USER -s 10.0.0.0/8 -d 10.0.0.0/8 -j DROP
296298
{{range $vrfkey, $vrf := .ExternalVRFs}}
297299
ExecStart=/usr/bin/iptables -I DOCKER-USER -i {{$vrfkey}} -o enp2s0 -j ACCEPT
298300
{{range $connNicKey, $connNic := $.ExternalNICs}}{{range $attach := $connNic.Attachments}}{{if eq $attach.VRF $vrfkey}}

0 commit comments

Comments
 (0)