Disable IPv6 forwarding on node 2

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>

firewall/restrict-http.conf

@@ -8,8 +8,9 @@ table inet filter {
     }
     chain forward {
         type filter hook forward priority 0; policy accept
-        ip6 saddr fd00:42::/32 dport { 80 } reject;
-        ip6 daddr fd00:42::/32 dport { 80 } reject;
+        ip daddr 172.17.0.0/30 tcp dport { 80 } accept;
+        tcp dport { 0-65535 } reject;
+        udp dport { 0-65535 }  reject;
         accept
     }
     chain output {

start.sh

@@ -112,8 +112,11 @@ tmux send-keys -t ns1 "ip route add 172.17.2.0/24 via 172.17.1.2 dev vde1 proto
 ip route add 172.17.1.0/24 via 172.17.0.2
 ip route add 172.17.2.0/24 via 172.17.0.2
 
-# Restrict HTTP transport on node 2
+# Restrict HTTP transport on nodes 2 and 3
 tmux send-keys -t ns2 "nft -f $dir/firewall/restrict-http.conf" Enter
+tmux send-keys -t ns3 "nft -f $dir/firewall/restrict-http.conf" Enter
+# Disable ip forwarding on node 2, woops
+tmux send-keys -t ns2 "sleep 10 && sysctl -w net.ipv6.conf.all.forwarding=0" Enter
 
 for i in 1 2 3 4; do
   mkdir -p $dir/certs/node$i $dir/states/node$i
@@ -125,8 +128,8 @@ for i in 1 2 3 4; do
     sleep 15
   fi
   tmux split-window -h -t ns$i nsenter -t `cat $dir/run/node$i.pid` --net
-  subnet=1
-  if [[ $i == 4 ]]; then subnet=2; fi
+  subnet=2
+  if [[ $i == 1 ]]; then subnet=1; fi
   tmux send-keys -t ns$i "re6stnet --registry http://172.17.0.1 --ip 172.17.$subnet.$i --ca $dir/certs/node$i/ca.crt --cert $dir/certs/node$i/cert.crt --key $dir/certs/node$i/cert.key --state $dir/states/node$i --log $dir/log/node$i --run $dir/run/re6stnet-node$i.pid" Enter
   tmux select-pane -t ns$i -L
 done