Support IPv6

pkg/netconf/tpl/nftrules.tpl

@@ -7,12 +7,14 @@ table inet metal {
         iifname "lo" counter accept comment "BGP unnumbered"
         iifname "lan0" ip6 saddr fe80::/64 tcp dport bgp counter accept comment "bgp unnumbered input from lan0"
         iifname "lan1" ip6 saddr fe80::/64 tcp dport bgp counter accept comment "bgp unnumbered input from lan1"
+        // TODO Must contain the source ips of the node-network
         iifname "lan0" ip saddr 10.0.0.0/8 udp dport 4789 counter accept comment "incoming VXLAN lan0"
         iifname "lan1" ip saddr 10.0.0.0/8 udp dport 4789 counter accept comment "incoming VXLAN lan1"
 
         ct state established,related counter accept comment "stateful input"
         {{- if .DNSProxyDNAT.DestSpec.Address }}
 
+        // TODO Must contain the source ips of the node-network
         ip saddr 10.0.0.0/8 tcp dport {{ .DNSProxyDNAT.Port }} {{ .DNSProxyDNAT.DestSpec.AddressFamily }} daddr {{ .DNSProxyDNAT.DestSpec.Address }} accept comment "{{ .DNSProxyDNAT.Comment }}"
         ip saddr 10.0.0.0/8 udp dport {{ .DNSProxyDNAT.Port }} {{ .DNSProxyDNAT.DestSpec.AddressFamily }} daddr {{ .DNSProxyDNAT.DestSpec.Address }} accept comment "{{ .DNSProxyDNAT.Comment }}"
         {{- end }}
@@ -22,6 +24,7 @@ table inet metal {
         {{- else -}}
         tcp dport ssh ct state new counter accept comment "SSH incoming connections"
         {{- end }}
+        // TODO Must contain the source ips of the node-network
         ip saddr 10.0.0.0/8 tcp dport 9100 counter accept comment "node metrics"
         ip saddr 10.0.0.0/8 tcp dport 9630 counter accept comment "nftables metrics"
 
@@ -105,6 +108,7 @@ table inet nat {
     }
     chain postrouting {
         type nat hook postrouting priority 0; policy accept;
+        // TODO maybe no NAT in case the node network does not have nat enabled and is ipv6
         {{- range .SNAT }}
         {{- $cmt:=.Comment }}
         {{- $out:=.OutInterface }}