meta-google: gbmc-ncsi-nft: More forward restriction

We only want to allow <pfx>::fd... traffic info the machine area network
from the outside world. Instead of just blocking internal network
addresses from the outside, explicitly look at the prefix.

Change-Id: Id0afef7c813aef381e81b8fcfb570778f529f5dc
Signed-off-by: William A. Kennington III <wak@google.com>

2 files changed, 6 insertions, 1 deletions

diff --git a/meta-google/recipes-google/ncsi/files/50-gbmc-ncsi.rules.in b/meta-google/recipes-google/ncsi/files/50-gbmc-ncsi.rules.in
index 70f14ae59..938dca34b 100644
--- a/meta-google/recipes-google/ncsi/files/50-gbmc-ncsi.rules.in
+++ b/meta-google/recipes-google/ncsi/files/50-gbmc-ncsi.rules.in
@@ -25,7 +25,7 @@ table inet filter {
         icmpv6 type nd-router-advert accept
     }
     chain ncsi_forward {
-        type filter hook forward priority 0; policy accept;
+        type filter hook forward priority 0; policy drop;
         iifname != @NCSI_IF@ accept
         oifname != gbmcbr drop
         ip6 daddr fdb5:0481:10ce::/64 drop
diff --git a/meta-google/recipes-google/ncsi/files/gbmc-ncsi-nft.sh.in b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-nft.sh.in
index 727c8b643..93d1a4ad2 100644
--- a/meta-google/recipes-google/ncsi/files/gbmc-ncsi-nft.sh.in
+++ b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-nft.sh.in
@@ -59,6 +59,11 @@ gbmc_ncsi_nft_update() {
   fi
 
   contents+='    }'$'\n'
+  contents+='    chain ncsi_forward {'$'\n'
+  if [ -n "$pfx" ]; then
+    contents+="        ip6 saddr != $pfx/72 ip6 daddr $pfx/72 accept"$'\n'
+  fi
+  contents+='    }'$'\n'
   contents+='}'$'\n'
 
   local rfile=/run/nftables/40-gbmc-ncsi-in.rules