bstein/titan-iac
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

game-stream: gate Moonlight before node routing

Browse Source
This commit is contained in:
jenkins 2026-05-21 17:16:54 -03:00
parent 0f84be5083
commit 0eba74d9b3
1 changed files with 22 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
services/game-stream/wolf-gatekeeper-configmap.yaml
View File

@ -45,42 +45,47 @@ data:
return ["{", *[f"{port}," for port in ports[:-1]], ports[-1], "}"]
def _ensure_rules():
_nft(["add", "table", "inet", "wolf_gatekeeper"], check=False)
_nft(["add", "set", "inet", "wolf_gatekeeper", "allowed_v4", "{", "type", "ipv4_addr;", "flags", "timeout;", "}"], check=False)
_nft(["add", "set", "inet", "wolf_gatekeeper", "allowed_v6", "{", "type", "ipv6_addr;", "flags", "timeout;", "}"], check=False)
def _install_chain(name, hook, priority):
_nft(
[
"add",
"chain",
"inet",
"wolf_gatekeeper",
"input",
name,
"{",
"type",
"filter",
"hook",
"input",
hook,
"priority",
"-90;",
priority,
"policy",
"accept;",
"}",
],
check=False,
)
_nft(["flush", "chain", "inet", "wolf_gatekeeper", "input"], check=False)
_nft(["add", "rule", "inet", "wolf_gatekeeper", "input", "iifname", "lo", "accept"])
_nft(["flush", "chain", "inet", "wolf_gatekeeper", name], check=False)
_nft(["add", "rule", "inet", "wolf_gatekeeper", name, "iifname", "lo", "accept"])
for cidr in PRIVATE_V4:
_nft(["add", "rule", "inet", "wolf_gatekeeper", "input", "ip", "saddr", cidr, "accept"])
_nft(["add", "rule", "inet", "wolf_gatekeeper", name, "ip", "saddr", cidr, "accept"])
for cidr in PRIVATE_V6:
_nft(["add", "rule", "inet", "wolf_gatekeeper", "input", "ip6", "saddr", cidr, "accept"])
_nft(["add", "rule", "inet", "wolf_gatekeeper", "input", "ip", "saddr", "@allowed_v4", "tcp", "dport", *_port_set(TCP_PORTS), "accept"])
_nft(["add", "rule", "inet", "wolf_gatekeeper", "input", "ip", "saddr", "@allowed_v4", "udp", "dport", *_port_set(UDP_PORTS), "accept"])
_nft(["add", "rule", "inet", "wolf_gatekeeper", "input", "ip6", "saddr", "@allowed_v6", "tcp", "dport", *_port_set(TCP_PORTS), "accept"])
_nft(["add", "rule", "inet", "wolf_gatekeeper", "input", "ip6", "saddr", "@allowed_v6", "udp", "dport", *_port_set(UDP_PORTS), "accept"])
_nft(["add", "rule", "inet", "wolf_gatekeeper", "input", "tcp", "dport", *_port_set(TCP_PORTS), "drop"])
_nft(["add", "rule", "inet", "wolf_gatekeeper", "input", "udp", "dport", *_port_set(UDP_PORTS), "drop"])
_nft(["add", "rule", "inet", "wolf_gatekeeper", name, "ip6", "saddr", cidr, "accept"])
_nft(["add", "rule", "inet", "wolf_gatekeeper", name, "ip", "saddr", "@allowed_v4", "tcp", "dport", *_port_set(TCP_PORTS), "accept"])
_nft(["add", "rule", "inet", "wolf_gatekeeper", name, "ip", "saddr", "@allowed_v4", "udp", "dport", *_port_set(UDP_PORTS), "accept"])
_nft(["add", "rule", "inet", "wolf_gatekeeper", name, "ip6", "saddr", "@allowed_v6", "tcp", "dport", *_port_set(TCP_PORTS), "accept"])
_nft(["add", "rule", "inet", "wolf_gatekeeper", name, "ip6", "saddr", "@allowed_v6", "udp", "dport", *_port_set(UDP_PORTS), "accept"])
_nft(["add", "rule", "inet", "wolf_gatekeeper", name, "tcp", "dport", *_port_set(TCP_PORTS), "drop"])
_nft(["add", "rule", "inet", "wolf_gatekeeper", name, "udp", "dport", *_port_set(UDP_PORTS), "drop"])
def _ensure_rules():
_nft(["add", "table", "inet", "wolf_gatekeeper"], check=False)
_nft(["add", "set", "inet", "wolf_gatekeeper", "allowed_v4", "{", "type", "ipv4_addr;", "flags", "timeout;", "}"], check=False)
_nft(["add", "set", "inet", "wolf_gatekeeper", "allowed_v6", "{", "type", "ipv6_addr;", "flags", "timeout;", "}"], check=False)
_install_chain("prerouting", "prerouting", "-300;")
_install_chain("input", "input", "-90;")
def _validate_ip(value):