summaryrefslogtreecommitdiff
path: root/meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in
diff options
context:
space:
mode:
authorWilliam A. Kennington III <wak@google.com>2021-11-05 11:31:59 +0300
committerWilliam A. Kennington III <wak@google.com>2021-12-04 04:09:21 +0300
commit21e7e45b77e026689b72f182aca4ba2ffd5e0a36 (patch)
tree8d77b2468c741a22404a97528dda914338593ff5 /meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in
parenteefb1dde08064d8400a9107500dde5d26ebad63b (diff)
downloadopenbmc-21e7e45b77e026689b72f182aca4ba2ffd5e0a36.tar.xz
meta-google: gbmc-bridge: Provision NCSI deprecated addresses
This scans the gbmcbr interface for public addresses, and adds the relevant addresses to the NCSI interface of the BMC. This is required for neighbor discovery to work from prod over the NCSI link, when the addresses do not already exist (BMC DHCP will not have them). Change-Id: I27ff0cd3c4750b752b35399b8a0288db5ac9fe28 Signed-off-by: William A. Kennington III <wak@google.com>
Diffstat (limited to 'meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in')
-rw-r--r--meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in118
1 files changed, 118 insertions, 0 deletions
diff --git a/meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in
new file mode 100644
index 000000000..da6f27a79
--- /dev/null
+++ b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in
@@ -0,0 +1,118 @@
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+[ -z "${gbmc_ncsi_br_deprecated_ips_lib-}" ] || return
+
+gbmc_ncsi_br_deprecated_ips_init=
+gbmc_ncsi_br_deprecated_ips_confip=
+gbmc_ncsi_br_deprecated_ips_lastip=
+
+gbmc_ncsi_br_deprecated_ips_update() {
+ [ -n "$gbmc_ncsi_br_deprecated_ips_init" ] || return
+ [ "$gbmc_ncsi_br_deprecated_ips_confip" != "$gbmc_ncsi_br_deprecated_ips_lastip" ] || return
+ gbmc_ncsi_br_deprecated_ips_confip="$gbmc_ncsi_br_deprecated_ips_lastip"
+
+ printf 'gBMC Bridge NCSI Deprecated Addrs: %s\n' \
+ "${gbmc_ncsi_br_deprecated_ips_lastip:-(deleted)}" >&2
+
+ local contents=
+ if [ -n "$gbmc_ncsi_br_deprecated_ips_lastip" ]; then
+ local pfx_bytes=()
+ ip_to_bytes pfx_bytes "$gbmc_ncsi_br_deprecated_ips_lastip"
+
+ local pfx="$(ip_bytes_to_str pfx_bytes)"
+ pfx_bytes[8]=0
+ pfx_bytes[9]=0
+ local host_pfx="$(ip_bytes_to_str pfx_bytes)"
+ read -r -d '' contents <<EOF
+[Address]
+Address=$pfx/128
+PreferredLifetime=0
+[Address]
+Address=$host_pfx/128
+PreferredLifetime=0
+EOF
+ fi
+
+ local file
+ for file in /run/systemd/network/{00,}-bmc-@NCSI_IF@.network.d/50-deprecated.conf; do
+ mkdir -p -m 755 "$(dirname "$file")"
+ if [ -z "$contents" ]; then
+ rm -f "$file"
+ else
+ printf '%s' "$contents" >"$file"
+ fi
+ done
+
+ # Ensure that systemd-networkd performs a reconfiguration as it doesn't
+ # currently check the mtime of drop-in files.
+ touch -c /etc/systemd/network/*-bmc-@NCSI_IF@.network
+
+ if [ "$(systemctl is-active systemd-networkd)" != 'inactive' ]; then
+ networkctl reload && networkctl reconfigure @NCSI_IF@
+ fi
+
+ read -r -d '' contents <<EOF
+table inet filter {
+ chain ncsi_input {
+ ip6 saddr != $pfx/76 ip6 daddr $pfx/76 goto ncsi_gbmc_br_pub_input
+ }
+ chain ncsi_forward {
+ ip6 saddr != $pfx/76 ip6 daddr $pfx/76 accept
+ }
+}
+EOF
+ rfile=/run/nftables/40-gbmc-ncsi-br.rules
+ mkdir -p -m 755 "$(dirname "$rfile")"
+ printf '%s' "$contents" >"$rfile"
+ systemctl reset-failed nftables && systemctl --no-block restart nftables || true
+}
+
+gbmc_ncsi_br_deprecated_ips_hook() {
+ if [ "$change" = 'init' ]; then
+ gbmc_ncsi_br_deprecated_ips_init=1
+ gbmc_ip_monitor_defer
+ elif [ "$change" = 'defer' ]; then
+ gbmc_ncsi_br_deprecated_ips_update
+ elif [ "$change" = 'addr' -a "$intf" = 'gbmcbr' ] &&
+ [ "$scope" = 'global' -a "$fam" = 'inet6' ]; then
+ local pfx_bytes=()
+ ip_to_bytes pfx_bytes "$ip" || return
+ # No ULA Addresses
+ if (( pfx_bytes[0] & 0xfe == 0xfc )); then
+ return
+ fi
+ # We only want to allow a <pfx>::fd0x address, where x>0
+ if (( pfx_bytes[8] != 0xfd || pfx_bytes[9] & 0xf == 0 )); then
+ return
+ fi
+ for (( i = 10; i < 16; ++i )); do
+ if (( pfx_bytes[i] != 0 )); then
+ return
+ fi
+ done
+ if [ "$action" = 'add' -a "$ip" != "$gbmc_ncsi_br_deprecated_ips_lastip" ]; then
+ gbmc_ncsi_br_deprecated_ips_lastip="$ip"
+ gbmc_ip_monitor_defer
+ fi
+ if [ "$action" = 'del' -a "$ip" = "$gbmc_ncsi_br_deprecated_ips_lastip" ]; then
+ gbmc_ncsi_br_deprecated_ips_lastip=
+ gbmc_ip_monitor_defer
+ fi
+ fi
+}
+
+GBMC_IP_MONITOR_HOOKS+=(gbmc_ncsi_br_deprecated_ips_hook)
+
+gbmc_ncsi_br_deprecated_ips_lib=1