From 84237aae0a8b132960811ffd22c5d4a3194932a4 Mon Sep 17 00:00:00 2001
From: Georg Pfuetzenreuter <mail+opensuse@georg-pfuetzenreuter.net>
Date: Apr 13 2024 10:29:13 +0000
Subject: Merge branch 'crameleon/asgard-dcc' into 'production'


Allow mx-test outbound DCC access

See merge request infra/salt!1676
---

diff --git a/salt/files/nftables/asgard/zones/00_global.nft b/salt/files/nftables/asgard/zones/00_global.nft
index 97f5c5c..b3a6374 100644
--- a/salt/files/nftables/asgard/zones/00_global.nft
+++ b/salt/files/nftables/asgard/zones/00_global.nft
@@ -44,7 +44,7 @@
 
   # traceroute
   udp dport != { 53, 123, 514 } ip protocol udp log prefix "[UDP Rejected] " reject
-  udp dport != { 53, 1053, 123, 514, 3780, 60000-61000 } ip6 nexthdr udp log prefix "[UDP Rejected] " reject
+  udp dport != { 53, 1053, 123, 514, 3780, 6277, 60000-61000 } ip6 nexthdr udp log prefix "[UDP Rejected] " reject
 
  }
 
diff --git a/salt/files/nftables/asgard/zones/1209_os-mail.nft b/salt/files/nftables/asgard/zones/1209_os-mail.nft
index f16e4a9..0001185 100644
--- a/salt/files/nftables/asgard/zones/1209_os-mail.nft
+++ b/salt/files/nftables/asgard/zones/1209_os-mail.nft
@@ -23,6 +23,9 @@
   ip6 daddr $host6_hel ip6 nexthdr icmpv6 icmpv6 type { echo-request, echo-reply } accept
   ip6 saddr @host6_mx ip6 daddr $host6_hel tcp dport 3307 accept
 
+  #mx-test -> * (evaluating DCC)
+  ip6 saddr $host6_mx-test udp dport 6277 log prefix "[DCC out] " accept
+
   log prefix "[Mail Denied] " reject with icmpv6 type admin-prohibited
  }