bob-common: add helper iptables func drop_dst_ip

ilyaluk · ilyaluk · commit ba5911fbb211 · 2025-10-24T16:12:18.000+04:00
diff --git a/bob-common/mkosi.extra/usr/bin/init-firewall.sh b/bob-common/mkosi.extra/usr/bin/init-firewall.sh
@@ -124,6 +124,14 @@ accept_dst_ip_port() {
                          -m comment --comment "$comment"
 }
 
+drop_dst_ip() {
+    chain="$1"
+    ip="$2"
+    comment="$3"
+
+    iptables -A "$chain" -d "$ip" -j DROP \
+                         -m comment --comment "$comment"
+}
 
 ###########################################################################
 # (5) Load firewall rules in {MAINTENANCE,PRODUCTION}_{IN,OUT} chains.
diff --git a/bob-l1/mkosi.extra/etc/firewall-config b/bob-l1/mkosi.extra/etc/firewall-config
@@ -84,9 +84,7 @@ accept_dst_port $CHAIN_MAINTENANCE_IN udp $EL_P2P_PORT "EL P2P (UDP)"
 ###########################################################################
 
 # Block Flashbots protect tx endpoints during maintenance
-iptables -A $CHAIN_MAINTENANCE_OUT \
-    -d $FLASHBOTS_TX_STREAM_1,$FLASHBOTS_TX_STREAM_2 -j DROP \
-    -m comment --comment "Flashbots Protect (DROP before accept-all 443)"
+drop_dst_ip $CHAIN_MAINTENANCE_OUT $FLASHBOTS_TX_STREAM_1,$FLASHBOTS_TX_STREAM_2 "Flashbots Protect (DROP before accept-all rules)"
 
 accept_dst_port $CHAIN_MAINTENANCE_OUT udp $DNS_PORT "DNS (UDP)"
 accept_dst_port $CHAIN_MAINTENANCE_OUT tcp $DNS_PORT "DNS (TCP)"
