From cffcaa7ab580855b658fdd2509db166263821ea5 Mon Sep 17 00:00:00 2001 From: "William A. Kennington III" Date: Wed, 8 Sep 2021 13:06:00 -0700 Subject: meta-google: gbmc-bridge: Fix nftables rules for local BMC address We want to use sets instead of separate rules for each address. This also ensures that packets coming from internal sources are matched as internal packets. Change-Id: Iff87b81c48c7491a74af1a2cead4cabcb56d81a0 Signed-off-by: William A. Kennington III --- .../recipes-google/networking/gbmc-bridge/50-gbmc-br.rules | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/meta-google/recipes-google/networking/gbmc-bridge/50-gbmc-br.rules b/meta-google/recipes-google/networking/gbmc-bridge/50-gbmc-br.rules index 1a5e6331d..475cc02f9 100644 --- a/meta-google/recipes-google/networking/gbmc-bridge/50-gbmc-br.rules +++ b/meta-google/recipes-google/networking/gbmc-bridge/50-gbmc-br.rules @@ -16,10 +16,18 @@ table inet filter { jump gbmc_br_pub_input reject } + set gbmc_br_int_addrs { + type ipv6_addr; + flags interval + elements = { + ff00::/8, + fe80::/64, + fdb5:0481:10ce::/64, + } + } chain gbmc_br_int_input { - ip6 daddr ff00::/8 accept - ip6 daddr fe80::/64 accept - ip6 daddr fdb5:0481:10ce::/64 accept + ip6 daddr @gbmc_br_int_addrs accept + ip6 saddr @gbmc_br_int_addrs accept } chain gbmc_br_pub_input { ip6 nexthdr icmpv6 accept -- cgit v1.2.3