meta-google: gbmc-bridge: Fix nftables rules for local BMC address

We want to use sets instead of separate rules for each address. This also ensures that packets coming from internal sources are matched as internal packets. Change-Id: Iff87b81c48c7491a74af1a2cead4cabcb56d81a0 Signed-off-by: William A. Kennington III <wak@google.com>
author: William A. Kennington III <wak@google.com> 2021-09-08 23:06:00 +0300
committer: William A. Kennington III <wak@google.com> 2021-09-12 00:28:14 +0300
commit: cffcaa7ab580855b658fdd2509db166263821ea5 (patch)
tree: bd7afe04b9ec8a9f6ae6c0b4549d65e74a6f5c00 /meta-google
parent: 31ff6c42f09573a25a0583fe1e0badab93e0476e (diff)
download: openbmc-cffcaa7ab580855b658fdd2509db166263821ea5.tar.xz
1 files changed, 11 insertions, 3 deletions
diff --git a/meta-google/recipes-google/networking/gbmc-bridge/50-gbmc-br.rules b/meta-google/recipes-google/networking/gbmc-bridge/50-gbmc-br.rules
index 1a5e6331d..475cc02f9 100644
--- a/meta-google/recipes-google/networking/gbmc-bridge/50-gbmc-br.rules
+++ b/meta-google/recipes-google/networking/gbmc-bridge/50-gbmc-br.rules
@@ -16,10 +16,18 @@ table inet filter {
     jump gbmc_br_pub_input
     reject
   }
+  set gbmc_br_int_addrs {
+    type ipv6_addr;
+    flags interval
+    elements = {
+      ff00::/8,
+      fe80::/64,
+      fdb5:0481:10ce::/64,
+    }
+  }
   chain gbmc_br_int_input {
-    ip6 daddr ff00::/8 accept
-    ip6 daddr fe80::/64 accept
-    ip6 daddr fdb5:0481:10ce::/64 accept
+    ip6 daddr @gbmc_br_int_addrs accept
+    ip6 saddr @gbmc_br_int_addrs accept
   }
   chain gbmc_br_pub_input {
     ip6 nexthdr icmpv6 accept
author	William A. Kennington III <wak@google.com>	2021-09-08 23:06:00 +0300
committer	William A. Kennington III <wak@google.com>	2021-09-12 00:28:14 +0300
commit	cffcaa7ab580855b658fdd2509db166263821ea5 (patch)
tree	bd7afe04b9ec8a9f6ae6c0b4549d65e74a6f5c00 /meta-google
parent	31ff6c42f09573a25a0583fe1e0badab93e0476e (diff)
download	openbmc-cffcaa7ab580855b658fdd2509db166263821ea5.tar.xz