diff options
author | William A. Kennington III <wak@google.com> | 2021-09-08 23:06:00 +0300 |
---|---|---|
committer | William A. Kennington III <wak@google.com> | 2021-09-12 00:28:14 +0300 |
commit | cffcaa7ab580855b658fdd2509db166263821ea5 (patch) | |
tree | bd7afe04b9ec8a9f6ae6c0b4549d65e74a6f5c00 | |
parent | 31ff6c42f09573a25a0583fe1e0badab93e0476e (diff) | |
download | openbmc-cffcaa7ab580855b658fdd2509db166263821ea5.tar.xz |
meta-google: gbmc-bridge: Fix nftables rules for local BMC address
We want to use sets instead of separate rules for each address. This
also ensures that packets coming from internal sources are matched as
internal packets.
Change-Id: Iff87b81c48c7491a74af1a2cead4cabcb56d81a0
Signed-off-by: William A. Kennington III <wak@google.com>
-rw-r--r-- | meta-google/recipes-google/networking/gbmc-bridge/50-gbmc-br.rules | 14 |
1 files changed, 11 insertions, 3 deletions
diff --git a/meta-google/recipes-google/networking/gbmc-bridge/50-gbmc-br.rules b/meta-google/recipes-google/networking/gbmc-bridge/50-gbmc-br.rules index 1a5e6331d..475cc02f9 100644 --- a/meta-google/recipes-google/networking/gbmc-bridge/50-gbmc-br.rules +++ b/meta-google/recipes-google/networking/gbmc-bridge/50-gbmc-br.rules @@ -16,10 +16,18 @@ table inet filter { jump gbmc_br_pub_input reject } + set gbmc_br_int_addrs { + type ipv6_addr; + flags interval + elements = { + ff00::/8, + fe80::/64, + fdb5:0481:10ce::/64, + } + } chain gbmc_br_int_input { - ip6 daddr ff00::/8 accept - ip6 daddr fe80::/64 accept - ip6 daddr fdb5:0481:10ce::/64 accept + ip6 daddr @gbmc_br_int_addrs accept + ip6 saddr @gbmc_br_int_addrs accept } chain gbmc_br_pub_input { ip6 nexthdr icmpv6 accept |