bob-l2: adjust firewall rules to include metadata IPs

ilyaluk · ilyaluk · commit 7fc7f12f8e59 · 2025-10-24T01:15:57.000+04:00
diff --git a/bob-l2/mkosi.extra/etc/firewall-config b/bob-l2/mkosi.extra/etc/firewall-config
@@ -25,8 +25,7 @@ accept_dst_port $CHAIN_ALWAYS_IN tcp $SSH_CONTROL_PORT "SSH control port"
 accept_dst_port $CHAIN_ALWAYS_IN udp $SEARCHER_INPUT_PORT "Searcher input channel"
 
 # We drive op-geth in the searcher container from external op-node
-# TODO: parametrize op-node IP range
-accept_src_ip_dst_port $CHAIN_ALWAYS_IN tcp "10.0.0.0/8" $ENGINE_API_PORT "Engine API"
+accept_src_ip_dst_port $CHAIN_ALWAYS_IN tcp "$METADATA_BOB_L2_OP_NODE_CIDR" $ENGINE_API_PORT "Engine API"
 
 # CVM reverse-proxy serves server attestation
 # Also forwards request to ssh pubkey server on localhost:5001,
@@ -41,7 +40,7 @@ accept_dst_port $CHAIN_ALWAYS_IN tcp $CVM_REVERSE_PROXY_PORT "CVM reverse-proxy"
 # See also init-container.sh
 accept_dst_port $CHAIN_ALWAYS_OUT udp $NTP_PORT "NTP"
 
-# TODO: simulator bundle endpoint will be here, parameterized
+accept_dst_ip_port $CHAIN_ALWAYS_OUT tcp "$METADATA_BOB_L2_BACKRUNS_IP" $HTTP_PORT "bundle"
 
 ###########################################################################
 # (3) MAINTENANCE_IN: Inbound rules for Maintenance Mode
@@ -57,6 +56,9 @@ accept_dst_port $CHAIN_MAINTENANCE_IN udp $OP_GETH_P2P_PORT "op-geth P2P (UDP)"
 # (4) MAINTENANCE_OUT: Outbound rules for Maintenance Mode
 ###########################################################################
 
+# Block tx endpoint during maintenance
+drop_dst_ip $CHAIN_MAINTENANCE_OUT "$METADATA_BOB_L2_TX_STREAM_IP" "tx stream (DROP before accept-all rules)"
+
 accept_dst_port $CHAIN_MAINTENANCE_OUT udp $DNS_PORT "DNS (UDP)"
 accept_dst_port $CHAIN_MAINTENANCE_OUT tcp $DNS_PORT "DNS (TCP)"
 
@@ -76,6 +78,4 @@ accept_dst_port $CHAIN_MAINTENANCE_OUT udp $OP_GETH_P2P_PORT "op-geth P2P (UDP)"
 # (6) PRODUCTION_OUT: Outbound rules for Production Mode
 ###########################################################################
 
-# None at the moment
-
-# TODO: simulator tx stream websocket will be here, parameterized
+accept_dst_ip_port $CHAIN_PRODUCTION_OUT tcp "$METADATA_BOB_L2_TX_STREAM_IP" $HTTP_PORT "tx stream"
diff --git a/bob-l2/mkosi.extra/etc/searcher-container-init-extra b/bob-l2/mkosi.extra/etc/searcher-container-init-extra
@@ -1,7 +1,19 @@
 # This script is sourced from init-container.sh and contains image-specific stuff
 # See also: bob-common/mkosi.extra/usr/bin/init-container.sh
 
-echo "Injecting static hosts into searcher container..."
-exec_in_container '
+exec_in_container "
     cat <<EOF >> /etc/hosts
-EOF'
+$METADATA_BOB_L2_TX_STREAM_IP tx-stream.internal
+$METADATA_BOB_L2_BACKRUNS_IP  backruns.internal
+EOF"
+
+# Copy metadata into the container for transparency
+#
+# This might be implemented as bind read-only mount in the future,
+# but customizing container startup per bob-l2 is too complex for now
+
+metadata=$(cat /etc/metadata.env)
+exec_in_container "
+    cat <<EOF >> /etc/metadata.env
+$metadata
+EOF"
