meta-google: gbmc-ncsi-config: Restrict NCSI input packets

Break down packets by their incoming address and ensure that we don't
allow packets to unintended destinations. Right now this is effectively
a no-op, but it will be necessary for BMC public addressing.

Change-Id: I39c16c3b9cd4c293df42b928674e39677d7834e9
Signed-off-by: William A. Kennington III <wak@google.com>

1 files changed, 13 insertions, 0 deletions

diff --git a/meta-google/recipes-google/ncsi/files/50-gbmc-ncsi.rules.in b/meta-google/recipes-google/ncsi/files/50-gbmc-ncsi.rules.in
index 33031f0db..4ebe35128 100644
--- a/meta-google/recipes-google/ncsi/files/50-gbmc-ncsi.rules.in
+++ b/meta-google/recipes-google/ncsi/files/50-gbmc-ncsi.rules.in
@@ -3,10 +3,23 @@ table inet filter {
         type filter hook input priority 0; policy drop;
         iifname != @NCSI_IF@ accept
         ct state established accept
+        ip6 daddr ff00::/8 goto ncsi_brd_input
+        ip6 daddr fe80::/64 goto ncsi_legacy_input
+    }
+    chain ncsi_gbmc_br_pub_input {
+        jump gbmc_br_pub_input
+        reject
+    }
+    chain gbmc_br_pub_input {
+    }
+    chain ncsi_legacy_input {
+        jump ncsi_brd_input
         tcp dport 3959 accept
         udp dport 3959 accept
         tcp dport 3967 accept
         udp dport 3967 accept
+    }
+    chain ncsi_brd_input {
         icmpv6 type nd-neighbor-advert accept
         icmpv6 type nd-neighbor-solicit accept
         icmpv6 type nd-router-advert accept