diff options
-rw-r--r-- | meta-google/recipes-google/ncsi/files/50-gbmc-ncsi.rules.in | 2 | ||||
-rw-r--r-- | meta-google/recipes-google/ncsi/files/gbmc-ncsi-nft.sh.in | 5 |
2 files changed, 6 insertions, 1 deletions
diff --git a/meta-google/recipes-google/ncsi/files/50-gbmc-ncsi.rules.in b/meta-google/recipes-google/ncsi/files/50-gbmc-ncsi.rules.in index 70f14ae59..938dca34b 100644 --- a/meta-google/recipes-google/ncsi/files/50-gbmc-ncsi.rules.in +++ b/meta-google/recipes-google/ncsi/files/50-gbmc-ncsi.rules.in @@ -25,7 +25,7 @@ table inet filter { icmpv6 type nd-router-advert accept } chain ncsi_forward { - type filter hook forward priority 0; policy accept; + type filter hook forward priority 0; policy drop; iifname != @NCSI_IF@ accept oifname != gbmcbr drop ip6 daddr fdb5:0481:10ce::/64 drop diff --git a/meta-google/recipes-google/ncsi/files/gbmc-ncsi-nft.sh.in b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-nft.sh.in index 727c8b643..93d1a4ad2 100644 --- a/meta-google/recipes-google/ncsi/files/gbmc-ncsi-nft.sh.in +++ b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-nft.sh.in @@ -59,6 +59,11 @@ gbmc_ncsi_nft_update() { fi contents+=' }'$'\n' + contents+=' chain ncsi_forward {'$'\n' + if [ -n "$pfx" ]; then + contents+=" ip6 saddr != $pfx/72 ip6 daddr $pfx/72 accept"$'\n' + fi + contents+=' }'$'\n' contents+='}'$'\n' local rfile=/run/nftables/40-gbmc-ncsi-in.rules |