diff options
author | William A. Kennington III <wak@google.com> | 2021-05-12 10:57:41 +0300 |
---|---|---|
committer | William A. Kennington III <wak@google.com> | 2021-05-12 23:17:15 +0300 |
commit | cf1e7270226fd27f72d9c70caf422376a8a14404 (patch) | |
tree | 8da646df72ac5dd225ab076f9dda40fdf85d1a8b /meta-google | |
parent | a7a7ed08b2d02ef746631894cfae6e6b00a41fef (diff) | |
download | openbmc-cf1e7270226fd27f72d9c70caf422376a8a14404.tar.xz |
meta-google: gbmc-ncsi-nft: More forward restriction
We only want to allow <pfx>::fd... traffic info the machine area network
from the outside world. Instead of just blocking internal network
addresses from the outside, explicitly look at the prefix.
Change-Id: Id0afef7c813aef381e81b8fcfb570778f529f5dc
Signed-off-by: William A. Kennington III <wak@google.com>
Diffstat (limited to 'meta-google')
-rw-r--r-- | meta-google/recipes-google/ncsi/files/50-gbmc-ncsi.rules.in | 2 | ||||
-rw-r--r-- | meta-google/recipes-google/ncsi/files/gbmc-ncsi-nft.sh.in | 5 |
2 files changed, 6 insertions, 1 deletions
diff --git a/meta-google/recipes-google/ncsi/files/50-gbmc-ncsi.rules.in b/meta-google/recipes-google/ncsi/files/50-gbmc-ncsi.rules.in index 70f14ae59..938dca34b 100644 --- a/meta-google/recipes-google/ncsi/files/50-gbmc-ncsi.rules.in +++ b/meta-google/recipes-google/ncsi/files/50-gbmc-ncsi.rules.in @@ -25,7 +25,7 @@ table inet filter { icmpv6 type nd-router-advert accept } chain ncsi_forward { - type filter hook forward priority 0; policy accept; + type filter hook forward priority 0; policy drop; iifname != @NCSI_IF@ accept oifname != gbmcbr drop ip6 daddr fdb5:0481:10ce::/64 drop diff --git a/meta-google/recipes-google/ncsi/files/gbmc-ncsi-nft.sh.in b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-nft.sh.in index 727c8b643..93d1a4ad2 100644 --- a/meta-google/recipes-google/ncsi/files/gbmc-ncsi-nft.sh.in +++ b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-nft.sh.in @@ -59,6 +59,11 @@ gbmc_ncsi_nft_update() { fi contents+=' }'$'\n' + contents+=' chain ncsi_forward {'$'\n' + if [ -n "$pfx" ]; then + contents+=" ip6 saddr != $pfx/72 ip6 daddr $pfx/72 accept"$'\n' + fi + contents+=' }'$'\n' contents+='}'$'\n' local rfile=/run/nftables/40-gbmc-ncsi-in.rules |