hold the metal-api networks in the firewall spec - this is the alternative to parsing /etc/metal/install.yaml or passing all network data with distinct parameters (we had privateVrfID ... but this is superfluos now) and lets us easily access their prefixes, VRF IDs and the IPs that were given with the allocation; this is also preparation for moving the firewall spec from shoots to the seed cluster.
use a simple SNAT rule if there is only one SNAT IP configured
use a hash over tcp daddr and tcp sport to distribute consistently over a nftables map when there are multiple SNAT IPs configured
specify a network name instead of an interface for rate limiting
add/remove dynamic SNAT addresses as stated in the spec but avoid removing the IPs that were given with the allocation
split up pkg/nftables/firewall.go: move all the rendering stuff into a separate file rendering.go
Closes #51
Considerations:
/etc/metal/install.yaml
or passing all network data with distinct parameters (we had privateVrfID ... but this is superfluos now) and lets us easily access their prefixes, VRF IDs and the IPs that were given with the allocation; this is also preparation for moving the firewall spec from shoots to the seed cluster.tcp daddr and tcp sport
to distribute consistently over a nftables map when there are multiple SNAT IPs configuredpkg/nftables/firewall.go
: move all the rendering stuff into a separate filerendering.go
RFC @mwennrich @majst01