diff options
author | William A. Kennington III <wak@google.com> | 2021-03-11 05:59:12 +0300 |
---|---|---|
committer | William A. Kennington III <wak@google.com> | 2021-05-07 04:09:53 +0300 |
commit | 1ef795b90e4d87f58553afbcf5928728ffb86e1b (patch) | |
tree | 08ee7d0c10ad9afabe5ac1fdd0eaa187cfefd512 /meta-google/recipes-google/ncsi/gbmc-ncsi-config.bb | |
parent | 7b6d7c90bff2d9ab30ceeb922afb572b7196d61b (diff) | |
download | openbmc-1ef795b90e4d87f58553afbcf5928728ffb86e1b.tar.xz |
meta-google: gbmc-ncsi-config: Restrict NCSI input packets
Break down packets by their incoming address and ensure that we don't
allow packets to unintended destinations. Right now this is effectively
a no-op, but it will be necessary for BMC public addressing.
Change-Id: I39c16c3b9cd4c293df42b928674e39677d7834e9
Signed-off-by: William A. Kennington III <wak@google.com>
Diffstat (limited to 'meta-google/recipes-google/ncsi/gbmc-ncsi-config.bb')
-rw-r--r-- | meta-google/recipes-google/ncsi/gbmc-ncsi-config.bb | 17 |
1 files changed, 14 insertions, 3 deletions
diff --git a/meta-google/recipes-google/ncsi/gbmc-ncsi-config.bb b/meta-google/recipes-google/ncsi/gbmc-ncsi-config.bb index ecdda2cb6..b833810f1 100644 --- a/meta-google/recipes-google/ncsi/gbmc-ncsi-config.bb +++ b/meta-google/recipes-google/ncsi/gbmc-ncsi-config.bb @@ -9,17 +9,22 @@ SRC_URI += " \ file://50-gbmc-ncsi.rules.in \ file://gbmc-ncsi-sslh.socket.in \ file://gbmc-ncsi-sslh.service \ + file://gbmc-ncsi-nft.sh.in \ " S = "${WORKDIR}" RDEPENDS_${PN} += " \ + gbmc-ip-monitor \ ncsid \ nftables-systemd \ sslh \ " -FILES_${PN} += "${systemd_unitdir}" +FILES_${PN} += " \ + ${datadir}/gbmc-ip-monitor \ + ${systemd_unitdir} \ + " SYSTEMD_SERVICE_${PN} += " \ gbmc-ncsi-sslh.service \ @@ -50,7 +55,7 @@ do_install_append() { nftdir=${D}${sysconfdir}/nftables install -d -m0755 "$nftdir" - sed "s,@NCSI_IF@,$if_name," ${WORKDIR}/50-gbmc-ncsi.rules.in \ + sed "s,@NCSI_IF@,$if_name,g" ${WORKDIR}/50-gbmc-ncsi.rules.in \ >"$nftdir"/50-gbmc-ncsi.rules wantdir=${D}${systemd_system_unitdir}/multi-user.target.wants @@ -58,6 +63,12 @@ do_install_append() { ln -sv ../ncsid@.service "$wantdir"/ncsid@$if_name.service install -m 0644 ${WORKDIR}/gbmc-ncsi-sslh.service ${D}${systemd_system_unitdir} - sed "s,@NCSI_IF@,$if_name," ${WORKDIR}/gbmc-ncsi-sslh.socket.in \ + sed "s,@NCSI_IF@,$if_name,g" ${WORKDIR}/gbmc-ncsi-sslh.socket.in \ >${D}${systemd_system_unitdir}/gbmc-ncsi-sslh.socket + + mondir=${D}${datadir}/gbmc-ip-monitor/ + install -d -m0755 $mondir + sed "s,@NCSI_IF@,$if_name,g" ${WORKDIR}/gbmc-ncsi-nft.sh.in \ + >${WORKDIR}/gbmc-ncsi-nft.sh + install -m644 ${WORKDIR}/gbmc-ncsi-nft.sh $mondir } |