meta-google: gbmc-bridge: Provision NCSI deprecated addresses

This scans the gbmcbr interface for public addresses, and adds the
relevant addresses to the NCSI interface of the BMC. This is required
for neighbor discovery to work from prod over the NCSI link, when the
addresses do not already exist (BMC DHCP will not have them).

Change-Id: I27ff0cd3c4750b752b35399b8a0288db5ac9fe28
Signed-off-by: William A. Kennington III <wak@google.com>

4 files changed, 122 insertions, 41 deletions

diff --git a/meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in
new file mode 100644
index 000000000..da6f27a79
--- /dev/null
+++ b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in
@@ -0,0 +1,118 @@
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+[ -z "${gbmc_ncsi_br_deprecated_ips_lib-}" ] || return
+
+gbmc_ncsi_br_deprecated_ips_init=
+gbmc_ncsi_br_deprecated_ips_confip=
+gbmc_ncsi_br_deprecated_ips_lastip=
+
+gbmc_ncsi_br_deprecated_ips_update() {
+  [ -n "$gbmc_ncsi_br_deprecated_ips_init" ] || return
+  [ "$gbmc_ncsi_br_deprecated_ips_confip" != "$gbmc_ncsi_br_deprecated_ips_lastip" ] || return
+  gbmc_ncsi_br_deprecated_ips_confip="$gbmc_ncsi_br_deprecated_ips_lastip"
+
+  printf 'gBMC Bridge NCSI Deprecated Addrs: %s\n' \
+    "${gbmc_ncsi_br_deprecated_ips_lastip:-(deleted)}" >&2
+
+  local contents=
+  if [ -n "$gbmc_ncsi_br_deprecated_ips_lastip" ]; then
+    local pfx_bytes=()
+    ip_to_bytes pfx_bytes "$gbmc_ncsi_br_deprecated_ips_lastip"
+
+    local pfx="$(ip_bytes_to_str pfx_bytes)"
+    pfx_bytes[8]=0
+    pfx_bytes[9]=0
+    local host_pfx="$(ip_bytes_to_str pfx_bytes)"
+    read -r -d '' contents <<EOF
+[Address]
+Address=$pfx/128
+PreferredLifetime=0
+[Address]
+Address=$host_pfx/128
+PreferredLifetime=0
+EOF
+  fi
+
+  local file
+  for file in /run/systemd/network/{00,}-bmc-@NCSI_IF@.network.d/50-deprecated.conf; do
+    mkdir -p -m 755 "$(dirname "$file")"
+    if [ -z "$contents" ]; then
+      rm -f "$file"
+    else
+      printf '%s' "$contents" >"$file"
+    fi
+  done
+
+  # Ensure that systemd-networkd performs a reconfiguration as it doesn't
+  # currently check the mtime of drop-in files.
+  touch -c /etc/systemd/network/*-bmc-@NCSI_IF@.network
+
+  if [ "$(systemctl is-active systemd-networkd)" != 'inactive' ]; then
+    networkctl reload && networkctl reconfigure @NCSI_IF@
+  fi
+
+  read -r -d '' contents <<EOF
+table inet filter {
+  chain ncsi_input {
+    ip6 saddr != $pfx/76 ip6 daddr $pfx/76 goto ncsi_gbmc_br_pub_input
+  }
+  chain ncsi_forward {
+    ip6 saddr != $pfx/76 ip6 daddr $pfx/76 accept
+  }
+}
+EOF
+  rfile=/run/nftables/40-gbmc-ncsi-br.rules
+  mkdir -p -m 755 "$(dirname "$rfile")"
+  printf '%s' "$contents" >"$rfile"
+  systemctl reset-failed nftables && systemctl --no-block restart nftables || true
+}
+
+gbmc_ncsi_br_deprecated_ips_hook() {
+  if [ "$change" = 'init' ]; then
+    gbmc_ncsi_br_deprecated_ips_init=1
+    gbmc_ip_monitor_defer
+  elif [ "$change" = 'defer' ]; then
+    gbmc_ncsi_br_deprecated_ips_update
+  elif [ "$change" = 'addr' -a "$intf" = 'gbmcbr' ] &&
+     [ "$scope" = 'global' -a "$fam" = 'inet6' ]; then
+    local pfx_bytes=()
+    ip_to_bytes pfx_bytes "$ip" || return
+    # No ULA Addresses
+    if (( pfx_bytes[0] & 0xfe == 0xfc )); then
+      return
+    fi
+    # We only want to allow a <pfx>::fd0x address, where x>0
+    if (( pfx_bytes[8] != 0xfd || pfx_bytes[9] & 0xf == 0 )); then
+      return
+    fi
+    for (( i = 10; i < 16; ++i )); do
+      if (( pfx_bytes[i] != 0 )); then
+        return
+      fi
+    done
+    if [ "$action" = 'add' -a "$ip" != "$gbmc_ncsi_br_deprecated_ips_lastip" ]; then
+      gbmc_ncsi_br_deprecated_ips_lastip="$ip"
+      gbmc_ip_monitor_defer
+    fi
+    if [ "$action" = 'del' -a "$ip" = "$gbmc_ncsi_br_deprecated_ips_lastip" ]; then
+      gbmc_ncsi_br_deprecated_ips_lastip=
+      gbmc_ip_monitor_defer
+    fi
+  fi
+}
+
+GBMC_IP_MONITOR_HOOKS+=(gbmc_ncsi_br_deprecated_ips_hook)
+
+gbmc_ncsi_br_deprecated_ips_lib=1
diff --git a/meta-google/recipes-google/ncsi/files/gbmc-ncsi-ip-from-ra.sh.in b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-ip-from-ra.sh.in
index 80bd34f04..6144617d4 100755
--- a/meta-google/recipes-google/ncsi/files/gbmc-ncsi-ip-from-ra.sh.in
+++ b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-ip-from-ra.sh.in
@@ -70,7 +70,6 @@ EOF
   touch -c /lib/systemd/network/*-bmc-gbmcbr.network || true
 
   contents='[Network]'$'\n'
-  contents+="Address=$pfx/128"$'\n'
   contents+="Gateway=$rtr"$'\n'
   for file in /run/systemd/network/{00,}-bmc-"$NCSI_IF".network.d/49-public-ra.conf; do
     mkdir -p -m 755 "$(dirname "$file")"
@@ -81,21 +80,6 @@ EOF
   if [ "$(systemctl is-active systemd-networkd)" != 'inactive' ]; then
     networkctl reload && networkctl reconfigure gbmcbr "$NCSI_IF" || true
   fi
-
-  read -r -d '' contents <<EOF
-table inet filter {
-  chain ncsi_input {
-    ip6 saddr != $pfx/76 ip6 daddr $pfx/76 goto ncsi_gbmc_br_pub_input
-  }
-  chain ncsi_forward {
-    ip6 saddr != $pfx/76 ip6 daddr $pfx/76 accept
-  }
-}
-EOF
-  rfile=/run/nftables/40-gbmc-ncsi-ra.rules
-  mkdir -p -m 755 "$(dirname "$rfile")"
-  printf '%s' "$contents" >"$rfile"
-  systemctl reset-failed nftables && systemctl --no-block restart nftables || true
 }
 
 w=60
diff --git a/meta-google/recipes-google/ncsi/files/gbmc-ncsi-nft.sh.in b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-nft.sh.in
index 7a630f5fe..30b2b65e4 100644
--- a/meta-google/recipes-google/ncsi/files/gbmc-ncsi-nft.sh.in
+++ b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-nft.sh.in
@@ -35,36 +35,11 @@ gbmc_ncsi_nft_update() {
   fi
 
   local ip6="$gbmc_ncsi_nft_lastip6"
-  local pfx=
   if [ -n "$ip6" ]; then
     contents+="        ip6 daddr $ip6/128 goto ncsi_legacy_input"$'\n'
-
-    local ip_bytes=()
-    ip_to_bytes ip_bytes "$ip6"
-    # If our address has enough spare bits for appending the BMC suffix
-    # then we add a rule that allows the BMC subnet. That is, we need a /64
-    # as input.
-    local i
-    for (( i = 8; i < 16; i++ )); do
-      if (( ip_bytes[$i] != 0 )); then
-        ip_bytes=()
-        break
-      fi
-    done
-    if (( ${#ip_bytes[@]} != 0 )); then
-      ip_bytes[8]=0xfd
-      pfx="$(ip_bytes_to_str ip_bytes)"
-      contents+="        ip6 saddr != $pfx/76 ip6 daddr"
-      contents+=" $pfx/76 goto ncsi_gbmc_br_pub_input"$'\n'
-    fi
   fi
 
   contents+='    }'$'\n'
-  contents+='    chain ncsi_forward {'$'\n'
-  if [ -n "$pfx" ]; then
-    contents+="        ip6 saddr != $pfx/76 ip6 daddr $pfx/76 accept"$'\n'
-  fi
-  contents+='    }'$'\n'
   contents+='}'$'\n'
 
   local rfile=/run/nftables/40-gbmc-ncsi-in.rules
diff --git a/meta-google/recipes-google/ncsi/gbmc-ncsi-config.bb b/meta-google/recipes-google/ncsi/gbmc-ncsi-config.bb
index 10ef56a76..0074a3172 100644
--- a/meta-google/recipes-google/ncsi/gbmc-ncsi-config.bb
+++ b/meta-google/recipes-google/ncsi/gbmc-ncsi-config.bb
@@ -18,6 +18,7 @@ SRC_URI += " \
   file://gbmc-ncsi-sslh.service \
   file://gbmc-ncsi-nft.sh.in \
   file://gbmc-ncsi-br-pub-addr.sh.in \
+  file://gbmc-ncsi-br-deprecated-ips.sh.in \
   file://gbmc-ncsi-set-nicenabled.service.in \
   "
 
@@ -100,6 +101,9 @@ do_install:append() {
   sed "s,@NCSI_IF@,$if_name,g" ${WORKDIR}/gbmc-ncsi-br-pub-addr.sh.in \
     >${WORKDIR}/gbmc-ncsi-br-pub-addr.sh
   install -m644 ${WORKDIR}/gbmc-ncsi-br-pub-addr.sh $mondir
+  sed "s,@NCSI_IF@,$if_name,g" ${WORKDIR}/gbmc-ncsi-br-deprecated-ips.sh.in \
+    >${WORKDIR}/gbmc-ncsi-br-deprecated-ips.sh
+  install -m644 ${WORKDIR}/gbmc-ncsi-br-deprecated-ips.sh $mondir
 
   sed "s,@NCSI_IF@,$if_name,g" ${WORKDIR}/gbmc-ncsi-set-nicenabled.service.in \
     >${D}${systemd_system_unitdir}/gbmc-ncsi-set-nicenabled.service