Merge branch 'tmshlvck/infradcrenumbering' into 'master'

Add new FR1 + CH1 InfraDC prefixes Add new FR1 InfraDC prefix 2602:fb2b:110::/48 to all hardcoded lists Modify all hard-coded addresses in old FR1 subnet 2001:4d78:40d::/48 to start using the new subnet Add new CH1 InfraDC prefix 2602:fb2b:120::/48 to all hardcoded lists Modify all hard-coded addresses in old CH1 subnet 2607:f6f0:3004::/48 to start using the new subnet See merge request dfinity-lab/public/ic!15750
dfinity · Oct 31, 2023 · 55e5d9a · 55e5d9a
2 parents 3d44d7e + c4a70b9
commit 55e5d9a
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 5 deletions.
diff --git a/ic-os/boundary-guestos/rootfs/etc/nginx/includes/whitelist_rosetta.conf b/ic-os/boundary-guestos/rootfs/etc/nginx/includes/whitelist_rosetta.conf
@@ -1,9 +1,11 @@
 # Internal Traffic (Pritunl VPN)
-allow 2001:4d78:40d::/48;  # FR1
+allow 2001:4d78:40d::/48;  # FR1-old
+allow 2602:fb2b:110::/48;  # FR1
 allow 2a00:fb01:400::/56;  # ZH1
 allow 2607:fb58:9005::/48; # SF1-old
 allow 2602:fb2b:100::/48;  # SF1
-allow 2607:f6f0:3004::/48; # CH1
+allow 2607:f6f0:3004::/48; # CH1-old
+allow 2602:fb2b:120::/48; # CH1
 
 # Third Party Clients
 allow 212.71.124.194;

diff --git a/ic-os/guestos/rootfs/opt/ic/share/ic.json5.template b/ic-os/guestos/rootfs/opt/ic/share/ic.json5.template
@@ -232,7 +232,7 @@ table ip6 filter {\n\
   chain OUTPUT {\n\
     type filter hook output priority 0; policy accept;\n\
     meta skuid ic-http-adapter ip6 daddr { ::1/128 } ct state { new } tcp dport { 1-19999 } reject # Block restricted localhost ic-http-adapter HTTPS access\n\
-    meta skuid ic-http-adapter ip6 daddr { 2a00:fb01:400:42::/64, 2001:4d78:40d::/48, 2607:fb58:9005::/48, 2602:fb2b:100::/48, 2607:f6f0:3004::/48, 2a05:d01c:d9:2b00::/56, 2a05:d01c:e2c:a700::/56 } ct state { new } tcp dport { 1-19999 } reject # Block restricted outbound ic-http-adapter HTTPS access\n\
+    meta skuid ic-http-adapter ip6 daddr { 2a00:fb01:400:42::/64, 2001:4d78:40d::/48, 2602:fb2b:110::/48, 2607:fb58:9005::/48, 2602:fb2b:100::/48, 2607:f6f0:3004::/48, 2602:fb2b:120::/48, 2a05:d01c:d9:2b00::/56, 2a05:d01c:e2c:a700::/56 } ct state { new } tcp dport { 1-19999 } reject # Block restricted outbound ic-http-adapter HTTPS access\n\
     <<IPv6_OUTBOUND_RULES>>\n\
   }\n\
 }\n",
@@ -249,6 +249,7 @@ table ip6 filter {\n\
             "2001:470:1:c76::/64",
             "2001:4d78:400:10a::/64",
             "2001:4d78:40d::/48",
+            "2602:fb2b:110::/48",
             "2001:920:401a:1706::/64",
             "2001:920:401a:1708::/64",
             "2001:920:401a:1710::/64",
@@ -290,6 +291,7 @@ table ip6 filter {\n\
             "2604:b900:4001:76::/64",
             "2607:f1d0:10:1::/64",
             "2607:f6f0:3004::/48",
+            "2602:fb2b:120::/48",
             "2607:f758:1220::/64",
             "2607:f758:c300::/64",
             "2607:fb58:9005::/48",

diff --git a/ic-os/hostos/rootfs/etc/nftables.conf b/ic-os/hostos/rootfs/etc/nftables.conf
@@ -61,15 +61,17 @@ table ip6 filter {
         2001:920:401a:1710::/64,        # BR1
         2001:920:401a:1706::/64,        # BR2
         2a04:9dc0:0:108::/64,           # BU1
-        2607:f6f0:3004::/48,            # CH1
+        2607:f6f0:3004::/48,            # CH1-old
+        2602:fb2b:120::/48,             # CH1 InfraDC prefix
         2604:7e00:50::/64,              # CH2
         2607:ff70:3:2::/64,             # CH3
         2604:1380:4641:6100::/56,       # DA11 Equinix boundary
         2600:3000:6100:200::/64,        # DL1
         2604:6800:258:1::/64,           # DM1 InfraDC annex
         2600:3000:1300:1300::/64,       # DN1 
         2001:470:1:c76::/64,            # FM1
-        2001:4d78:40d::/48,             # FR1
+        2001:4d78:40d::/48,             # FR1-old
+        2602:fb2b:110::/48,             # FR1 InfraDC prefix
         2001:4d78:400:10a::/64,         # FR2
         2604:1380:4091:3000::/56,       # FR2 Equinix boundary
         2a0f:cd00:2::/56,               # GE1