chore: clean up allowlisted IPv6 prefixes

ic-os/components/networking/nftables/hostos/nftables.template

@@ -87,65 +87,16 @@ table ip6 filter {
     type ipv6_addr
     flags interval
     elements =  {
-      2604:1380:4601:6200::/56,       # AM6 Equinix boundary
-      2001:920:401a:1708::/64,        # AN1
-      2607:f758:1220::/64,            # AT1
-      2604:3fc0:2001::/48,            # AT2
-      2604:7e00:30:3::/64,            # AW1
-      2001:438:fffd:11c::/64,         # BC1
-      2600:c0d:3002:4::/64,           # BO1
-      2001:920:401a:1710::/64,        # BR1
-      2001:920:401a:1706::/64,        # BR2
-      2a04:9dc0:0:108::/64,           # BU1
-      2602:fb2b:120::/48,             # CH1 InfraDC prefix
-      2604:7e00:50::/64,              # CH2
-      2607:ff70:3:2::/64,             # CH3
-      2604:1380:4641:6100::/56,       # DA11 Equinix boundary
-      2600:3000:6100:200::/64,        # DL1
-      2604:6800:258:1::/64,           # DM1 InfraDC annex
-      2602:fb2b:100::/48,             # DM1
-      2600:3000:1300:1300::/64,       # DN1
-      2001:470:1:c76::/64,            # FM1
-      2602:fb2b:110::/48,             # FR1 InfraDC prefix
-      2001:4d78:400:10a::/64,         # FR2
-      2604:1380:4091:3000::/56,       # FR2 Equinix boundary
-      2a0f:cd00:2::/56,               # GE1
-      2a00:fa0:3::/48,                # GE2
-      2604:b900:4001:76::/64,         # HU1
-      2600:2c01:21::/64,              # JV1
-      2a02:800:2:2003::/64,           # LJ1
-      2a0b:21c0:4003:2::/64,          # LN1
-      2a0b:21c0:4006:100::/56,        # LN1-add
-      2600:3006:1400:1500::/64,       # LV1
-      2a00:fc0:5000:300::/64,         # MB1
-      2001:1900:2100:2827::/64,       # MM1
-      2a0b:21c0:b002:2::/64,          # MR1
-      2a01:138:900a::/48,             # MU1
-      2607:f1d0:10:1::/64,            # NY1
-      2604:3fc0:3002::/48,            # OR1
-      2610:190:6000:1::/64,           # PH1
-      2600:3004:1200:1200::/56,       # PL1
-      2600:c00:2:100::/64,            # SE1 InfraDC annex
-      2401:3f00:1000:24::/64,         # SG1
-      2604:1380:40e1:4700::/56,       # SG1 Equinix boundary
-      2401:3f00:1000:22::/64,         # SG2
-      2401:3f00:1000:23::/64,         # SG3
-      2001:4c08:2003:b09::/64,        # SH1
-      2600:c02:b002:15::/64,          # SJ1
-      2610:190:df01:5::/64,           # ST1
-      2604:1380:45e1:a600::/56,       # SV15 Equinix boundary
-      2607:f758:c300::/64,            # TP1
-      2602:ffe4:801:16::/64,          # TY1
-      2602:ffe4:801:17::/64,          # TY2
-      2602:ffe4:801:18::/64,          # TY3
-      2a00:fb01:400::/55,             # ZH1
-      2a00:fb01:400:100::/64,         # ZH2
-      2a02:418:3002::/48,             # ZH3
-      2a02:41b:300e::/48,             # ZH4
-      2a01:2a8:a13d::/48,             # ZH5
-      2a01:2a8:a13c::/48,             # ZH6
-      2a01:2a8:a13e::/48,             # ZH7
-      fd00:2:1:1::/64                 # Private prefix used by [Ref A]
+      2602:fb2b:120::/48,             # ch1
+      2602:fb2b:100::/48,             # dm1
+      2602:fb2b:110::/48,             # fr1
+      2600:c00:2:100::/64,            # se1
+      2001:4c08:2003:b09::/64,        # sh1
+      2600:3007:4401::/48,            # tp1
+      2a00:fb01:400::/56,             # zh1
+      2a00:fb01:400:200::/64,         # zh2
+      2a05:d01c:e2c:a700::/56,        # AWS_eu-west-2_monitoring
+      2a05:d01c:d9:2b00::/56,         # AWS_eu-west-2_monitoring2
     } # comment "DFINITY operated DC's"
 
     # [Ref A]
@@ -159,11 +110,9 @@ table ip6 filter {
     type ipv6_addr
     flags interval
     elements =  {
-      2607:f6f0:3004::/48,            # CH1-old
-      2602:fb2b:120::/48,             # CH1 InfraDC prefix
-      2001:4d78:40d::/48,             # FR1-old
-      2602:fb2b:110::/48,             # FR1 InfraDC prefix
-      2602:fb2b:100::/48              # DM1
+      2602:fb2b:100:12::/64, # dm1-obs
+      2602:fb2b:120:12::/64, # ch1-obs
+      2602:fb2b:110:12::/64, # fr1-obs
     } # comment "Telemetry infrastructure"
   }
 

rs/ic_os/config/tool/templates/ic.json5.template

@@ -300,77 +300,16 @@ table ip6 filter {\n\
         default_rules: [{
           ipv4_prefixes: [],
           ipv6_prefixes: [
-            "2001:438:fffd:11c::/64",
-            "2001:470:1:c76::/64",
-            "2602:fb2b:110::/48",
-            "2001:920:401a:1706::/64",
-            "2001:920:401a:1708::/64",
-            "2001:920:401a:1710::/64",
-            "2401:3f00:1000:22::/64",
-            "2401:3f00:1000:23::/64",
-            "2401:3f00:1000:24::/64",
-            "2600:2c01:21::/64",
-            "2600:3000:1300:1300::/64",
-            "2600:3000:6100:200::/64",
-            "2600:3004:1200:1200::/56",
-            "2600:3006:1400:1500::/64",
-            "2600:c00:2:100::/64",
-            "2600:c02:b002:15::/64",
-            "2600:c0d:3002:4::/64",
-            "2602:ffe4:801:16::/64",
-            "2602:ffe4:801:17::/64",
-            "2602:ffe4:801:18::/64",
-            "2604:1380:4091:3000::/64",
-            "2604:1380:40e1:4700::/64",
-            "2604:1380:40f1:1700::/64",
-            "2604:1380:45d1:bf00::/64",
-            "2604:1380:45e1:a600::/64",
-            "2604:1380:45f1:9400::/64",
-            "2604:1380:4601:6200::/64",
-            "2604:1380:4601:6201::/64",
-            "2604:1380:4601:6202::/64",
-            "2604:1380:4641:6101::/64",
-            "2604:1380:4641:6102::/64",
-            "2604:1380:4091:3001::/64",
-            "2604:1380:4091:3002::/64",
-            "2604:1380:45e1:a601::/64",
-            "2604:1380:45e1:a602::/64",
-            "2604:1380:4641:6100::/64",
-            "2604:3fc0:2001::/48",
-            "2604:3fc0:3002::/48",
-            "2604:6800:258:1::/64",
-            "2604:7e00:30:3::/64",
-            "2604:7e00:50::/64",
-            "2604:b900:4001:76::/64",
-            "2607:f1d0:10:1::/64",
             "2602:fb2b:120::/48",
-            "2607:f758:1220::/64",
-            "2607:f758:c300::/64",
             "2602:fb2b:100::/48",
-            "2607:ff70:3:2::/64",
-            "2610:190:6000:1::/64",
-            "2610:190:df01:5::/64",
-            "2a00:fa0:3::/48",
-            "2a00:fb01:400:100::/56",
+            "2602:fb2b:110::/48",
+            "2600:c00:2:100::/64",
+            "2001:4c08:2003:b09::/64",
+            "2600:3007:4401::/48",
             "2a00:fb01:400::/56",
-            "2a00:fc0:5000:300::/64",
-            "2a01:138:900a::/48",
-            "2a01:2a8:a13c:1::/64",
-            "2a01:2a8:a13d:1::/64",
-            "2a01:2a8:a13e:1::/64",
-            "2a02:418:3002:0::/64",
-            "2a02:41b:300e::/48",
-            "2a02:800:2:2003::/64",
-            "2a04:9dc0:0:108::/64",
-            "2a05:d014:939:bf00::/56",
-            "2a05:d01c:d9:2b00::/56",
+            "2a00:fb01:400:200::/64",
             "2a05:d01c:e2c:a700::/56",
-            "2a0b:21c0:4003:2::/64",
-            "2a0b:21c0:4006:100::/56",
-            "2a0b:21c0:b002:2::/64",
-            "2a0f:cd00:0002::/56",
-            "fd00:2:1:1::/64",
-            "fda6:8d22:43e1::/48",
+            "2a05:d01c:d9:2b00::/56",
           ],
           ports: [22, 2497, 4100, 7070, 8080, 9090, 9091, 9100, 19100, 19523, 19531],
           action: 1,
@@ -500,12 +439,16 @@ table ip6 filter {\n\
         default_rules: [{
             ipv4_prefixes: [],
             ipv6_prefixes: [
-                "2a00:fb01:400::/56",
                 "2602:fb2b:120::/48",
-                "2602:fb2b:110::/48",
                 "2602:fb2b:100::/48",
-                "2a0b:21c0:4006:100::/56",
-                "fda6:8d22:43e1::/48",
+                "2602:fb2b:110::/48",
+                "2600:c00:2:100::/64",
+                "2001:4c08:2003:b09::/64",
+                "2600:3007:4401::/48",
+                "2a00:fb01:400::/56",
+                "2a00:fb01:400:200::/64",
+                "2a05:d01c:e2c:a700::/56",
+                "2a05:d01c:d9:2b00::/56",
             ],
             ports: [22, 7070, 9091, 9100, 9324, 19531],
             action: 1,