Skip to content

Commit

Permalink
fix(ic-os): Update telemetry datacenters in HostOS.
Browse files Browse the repository at this point in the history
  • Loading branch information
@DFINITYManu
DFINITYManu committed Jan 18, 2024
1 parent 356f24d commit a47bd69
Showing 1 changed file with 85 additions and 83 deletions.
168 changes: 85 additions & 83 deletions ic-os/hostos/rootfs/etc/nftables.conf
View file
Expand Up @@ -79,93 +79,95 @@ table ip6 filter {
}

set dfinity_dcs {
type ipv6_addr
flags interval
elements = {
2604:1380:4601:6200::/56, # AM6 Equinix boundary
2001:920:401a:1708::/64, # AN1
2607:f758:1220::/64, # AT1
2604:3fc0:2001::/48, # AT2
2604:7e00:30:3::/64, # AW1
2001:438:fffd:11c::/64, # BC1
2600:c0d:3002:4::/64, # BO1
2001:920:401a:1710::/64, # BR1
2001:920:401a:1706::/64, # BR2
2a04:9dc0:0:108::/64, # BU1
2607:f6f0:3004::/48, # CH1-old
2602:fb2b:120::/48, # CH1 InfraDC prefix
2604:7e00:50::/64, # CH2
2607:ff70:3:2::/64, # CH3
2604:1380:4641:6100::/56, # DA11 Equinix boundary
2600:3000:6100:200::/64, # DL1
2604:6800:258:1::/64, # DM1 InfraDC annex
2600:3000:1300:1300::/64, # DN1
2001:470:1:c76::/64, # FM1
2001:4d78:40d::/48, # FR1-old
2602:fb2b:110::/48, # FR1 InfraDC prefix
2001:4d78:400:10a::/64, # FR2
2604:1380:4091:3000::/56, # FR2 Equinix boundary
2a0f:cd00:2::/56, # GE1
2a00:fa0:3::/48, # GE2
2604:b900:4001:76::/64, # HU1
2600:2c01:21::/64, # JV1
2a02:800:2:2003::/64, # LJ1
2a0b:21c0:4003:2::/64, # LN1
2600:3006:1400:1500::/64, # LV1
2a00:fc0:5000:300::/64, # MB1
2001:1900:2100:2827::/64, # MM1
2a0b:21c0:b002:2::/64, # MR1
2a01:138:900a::/48, # MU1
2607:f1d0:10:1::/64, # NY1
2604:3fc0:3002::/48, # OR1
2610:190:6000:1::/64, # PH1
2600:3004:1200:1200::/56, # PL1
2600:c00:2:100::/64, # SE1 InfraDC annex
2602:fb2b:100::/48, # SF1 InfraDC prefix
2401:3f00:1000:24::/64, # SG1
2604:1380:40e1:4700::/56, # SG1 Equinix boundary
2401:3f00:1000:22::/64, # SG2
2401:3f00:1000:23::/64, # SG3
2600:c02:b002:15::/64, # SJ1
2610:190:df01:5::/64, # ST1
2604:1380:45e1:a600::/56, # SV15 Equinix boundary
2607:f758:c300::/64, # TP1
2602:ffe4:801:16::/64, # TY1
2602:ffe4:801:17::/64, # TY2
2602:ffe4:801:18::/64, # TY3
2a00:fb01:400::/55, # ZH1
2a00:fb01:400:100::/64, # ZH2
2a02:418:3002::/48, # ZH3
2a02:41b:300e::/48, # ZH4
2a01:2a8:a13d::/48, # ZH5
2a01:2a8:a13c::/48, # ZH6
2a01:2a8:a13e::/48, # ZH7
fd00:2:1:1::/64 # Private prefix used by [Ref A]
} # comment "DFINITY operated DC's"
# [Ref A]
# ic/testnet/tests/pipeline/pipeline.yml
# ic/ic-os/guestos/rootfs/opt/ic/share/ic.json5.template
# ic/ic-os/guestos/tests/vmtools.py
# ic/ic-os/guestos/tests/Readme.md
# This is used by the qemu-system instances spawned inside of the docker gitlab-runner to allow multiple deterministic dynamic on-the-fly VM "test" nodes for running automated tests. Each docker namespace has its own IP network stack so many of these can be running in parallel at the same time between different runs and they will not interfere with each other as a result.
# Why "Ref A"? nftables config syntax disallows newlines and comments between the last line of a set and the closing brace.
auto-merge # Prevent "Conflicting Intervals" errors
type ipv6_addr
flags interval
elements = {
2604:1380:4601:6200::/56, # AM6 Equinix boundary
2001:920:401a:1708::/64, # AN1
2607:f758:1220::/64, # AT1
2604:3fc0:2001::/48, # AT2
2604:7e00:30:3::/64, # AW1
2001:438:fffd:11c::/64, # BC1
2600:c0d:3002:4::/64, # BO1
2001:920:401a:1710::/64, # BR1
2001:920:401a:1706::/64, # BR2
2a04:9dc0:0:108::/64, # BU1
2607:f6f0:3004::/48, # CH1-old
2602:fb2b:120::/48, # CH1 InfraDC prefix
2604:7e00:50::/64, # CH2
2607:ff70:3:2::/64, # CH3
2604:1380:4641:6100::/56, # DA11 Equinix boundary
2600:3000:6100:200::/64, # DL1
2604:6800:258:1::/64, # DM1 InfraDC annex
2600:3000:1300:1300::/64, # DN1
2001:470:1:c76::/64, # FM1
2001:4d78:40d::/48, # FR1-old
2602:fb2b:110::/48, # FR1 InfraDC prefix
2001:4d78:400:10a::/64, # FR2
2604:1380:4091:3000::/56, # FR2 Equinix boundary
2a0f:cd00:2::/56, # GE1
2a00:fa0:3::/48, # GE2
2604:b900:4001:76::/64, # HU1
2600:2c01:21::/64, # JV1
2a02:800:2:2003::/64, # LJ1
2a0b:21c0:4003:2::/64, # LN1
2600:3006:1400:1500::/64, # LV1
2a00:fc0:5000:300::/64, # MB1
2001:1900:2100:2827::/64, # MM1
2a0b:21c0:b002:2::/64, # MR1
2a01:138:900a::/48, # MU1
2607:f1d0:10:1::/64, # NY1
2604:3fc0:3002::/48, # OR1
2610:190:6000:1::/64, # PH1
2600:3004:1200:1200::/56, # PL1
2600:c00:2:100::/64, # SE1 InfraDC annex
2602:fb2b:100::/48, # SF1 InfraDC prefix
2401:3f00:1000:24::/64, # SG1
2604:1380:40e1:4700::/56, # SG1 Equinix boundary
2401:3f00:1000:22::/64, # SG2
2401:3f00:1000:23::/64, # SG3
2600:c02:b002:15::/64, # SJ1
2610:190:df01:5::/64, # ST1
2604:1380:45e1:a600::/56, # SV15 Equinix boundary
2607:f758:c300::/64, # TP1
2602:ffe4:801:16::/64, # TY1
2602:ffe4:801:17::/64, # TY2
2602:ffe4:801:18::/64, # TY3
2a00:fb01:400::/55, # ZH1
2a00:fb01:400:100::/64, # ZH2
2a02:418:3002::/48, # ZH3
2a02:41b:300e::/48, # ZH4
2a01:2a8:a13d::/48, # ZH5
2a01:2a8:a13c::/48, # ZH6
2a01:2a8:a13e::/48, # ZH7
fd00:2:1:1::/64 # Private prefix used by [Ref A]
} # comment "DFINITY operated DC's"

# [Ref A]
# ic/testnet/tests/pipeline/pipeline.yml
# ic/ic-os/guestos/rootfs/opt/ic/share/ic.json5.template
# ic/ic-os/guestos/tests/vmtools.py
# ic/ic-os/guestos/tests/Readme.md
# This is used by the qemu-system instances spawned inside of the docker gitlab-runner to allow multiple deterministic dynamic on-the-fly VM "test" nodes for running automated tests. Each docker namespace has its own IP network stack so many of these can be running in parallel at the same time between different runs and they will not interfere with each other as a result.
# Why "Ref A"? nftables config syntax disallows newlines and comments between the last line of a set and the closing brace.
auto-merge # Prevent "Conflicting Intervals" errors
}

set metrics_clients {
type ipv6_addr
flags interval
elements = {
2a05:d014:939:bf00::/56, # AWS eu-central-1 Frankfurt Hydra VPC
2a05:d01c:d9:2b00::/56, # AWS eu-west-2 London Monitoring Testnet VPC
2a05:d01c:e2c:a700::/56 # AWS eu-west-2 London Monitoring VPC
} # comment "Metrics infrastructure"
set telemetry_clients {
type ipv6_addr
flags interval
elements = {
2607:f6f0:3004::/48, # CH1-old
2602:fb2b:120::/48, # CH1 InfraDC prefix
2001:4d78:40d::/48, # FR1-old
2602:fb2b:110::/48, # FR1 InfraDC prefix
2602:fb2b:100::/48 # SF1 InfraDC prefix
} # comment "Telemetry infrastructure"
}

set node_providers { # comment "Node provider allowlist. Filled out dynamically."
type ipv6_addr
flags interval
type ipv6_addr
flags interval
}

chain metrics_proxy {
Expand All @@ -189,7 +191,7 @@ table ip6 filter {
icmpv6 type nd-neighbor-solicit accept
icmpv6 type nd-neighbor-advert accept
ip6 saddr @dfinity_dcs ct state { new } tcp dport { 22, 9100, 19531 } accept
ip6 saddr @metrics_clients ct state { new } tcp dport { 9100, 19531, 19100 } accept
ip6 saddr @telemetry_clients ct state { new } tcp dport { 9100, 19531, 19100 } accept
ip6 saddr @node_providers ct state { new } tcp dport { 22, 9100, 19531 } accept
tcp dport { 42372 } goto metrics_proxy
}
Expand Down

0 comments on commit a47bd69

Please sign in to comment.