From 1883a539d0cfb3b8450c2fe0218d9b9d3a91f0e7 Mon Sep 17 00:00:00 2001
From: Daniel Micay <daniel.micay@grapheneos.org>
Date: Thu, 13 Nov 2025 23:26:56 -0500
Subject: [PATCH] nftables: include our own anycast addresses

---
 etc/nftables/nftables-ns1.conf | 2 +-
 etc/nftables/nftables-ns2.conf | 4 +++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/etc/nftables/nftables-ns1.conf b/etc/nftables/nftables-ns1.conf
index f8fd0af..9faffe5 100644
--- a/etc/nftables/nftables-ns1.conf
+++ b/etc/nftables/nftables-ns1.conf
@@ -8,7 +8,7 @@ table inet filter {
     define udp-ports = 53
 
     define ip-anycast = 185.187.152.9
-    define ip6-anycast = 2a05:b0c4:1::8
+    define ip6-anycast = { 2602:f4d9::1, 2a05:b0c4:1::8 }
 
     define ip-allowlist-ssh = {
         {{ssh_ipv4}},
diff --git a/etc/nftables/nftables-ns2.conf b/etc/nftables/nftables-ns2.conf
index b87e167..bbb2561 100644
--- a/etc/nftables/nftables-ns2.conf
+++ b/etc/nftables/nftables-ns2.conf
@@ -7,7 +7,8 @@ table inet filter {
     define tcp-ports-full = { 22, $tcp-ports }
     define udp-ports = 53
 
-    define ip-anycast = 198.251.90.93
+    define ip-anycast = { 23.149.124.1, 198.251.90.93 }
+    define ip6-anycast = 2602:f4d9:1::1
 
     define ip-allowlist-ssh = {
         {{ssh_ipv4}},
@@ -90,6 +91,7 @@ table inet filter {
         udp dport $udp-ports notrack accept
 
         tcp dport 22 ip daddr $ip-anycast drop
+        tcp dport 22 ip6 daddr $ip6-anycast drop
 
         # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
         tcp dport $tcp-ports-full tcp flags syn limit rate over {{synproxy_threshold}}/second burst {{synproxy_threshold}} packets counter notrack accept