From 53527f3f24e5df5d0344f057cdb85dde7e596955 Mon Sep 17 00:00:00 2001 From: "William A. Kennington III" Date: Tue, 27 Apr 2021 13:05:45 -0700 Subject: meta-google: gbmc-bridge: Recognize public addresses internally We want to be able to categorize public addresses being used for internal traffic, and allow them to access internal services. Change-Id: I1f4b8eaa329954f330c3052c0c789b8e5e3b4662 Signed-off-by: William A. Kennington III --- .../recipes-google/networking/gbmc-bridge.bb | 2 + .../networking/gbmc-bridge/gbmc-br-nft.sh | 63 ++++++++++++++++++++++ 2 files changed, 65 insertions(+) create mode 100644 meta-google/recipes-google/networking/gbmc-bridge/gbmc-br-nft.sh (limited to 'meta-google') diff --git a/meta-google/recipes-google/networking/gbmc-bridge.bb b/meta-google/recipes-google/networking/gbmc-bridge.bb index 80a42bd17..6c51a2806 100644 --- a/meta-google/recipes-google/networking/gbmc-bridge.bb +++ b/meta-google/recipes-google/networking/gbmc-bridge.bb @@ -18,6 +18,7 @@ SRC_URI += " \ file://gbmc-br-from-ra.sh \ file://gbmc-br-ensure-ra.sh \ file://gbmc-br-ensure-ra.service \ + file://gbmc-br-nft.sh \ " FILES_${PN}_append = " \ @@ -89,6 +90,7 @@ do_install() { install -d -m0755 "$mondir" install -m0644 ${WORKDIR}/gbmc-br-ula.sh "$mondir"/ install -m0644 ${WORKDIR}/gbmc-br-from-ra.sh "$mondir"/ + install -m0644 ${WORKDIR}/gbmc-br-nft.sh "$mondir"/ install -d -m0755 ${D}${libexecdir} install -m0755 ${WORKDIR}/gbmc-br-ensure-ra.sh ${D}${libexecdir}/ diff --git a/meta-google/recipes-google/networking/gbmc-bridge/gbmc-br-nft.sh b/meta-google/recipes-google/networking/gbmc-bridge/gbmc-br-nft.sh new file mode 100644 index 000000000..2099185e8 --- /dev/null +++ b/meta-google/recipes-google/networking/gbmc-bridge/gbmc-br-nft.sh @@ -0,0 +1,63 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +[ -z "${gbmc_br_nft_lib-}" ] || return + +gbmc_br_nft_init= +gbmc_br_nft_pfx= + +gbmc_br_nft_update() { + printf 'gBMC Bridge input firewall for %s\n' \ + "${gbmc_br_nft_pfx:-(deleted)}" >&2 + + local contents= + contents+='table inet filter {'$'\n' + contents+=' chain gbmc_br_int_input {'$'\n' + if [ -n "${gbmc_br_nft_pfx-}" ]; then + contents+=" ip6 saddr $gbmc_br_nft_pfx" + contents+=" ip6 daddr $gbmc_br_nft_pfx accept"$'\n' + fi + contents+=' }'$'\n' + contents+='}'$'\n' + + local rfile=/run/nftables/40-gbmc-br-int.rules + mkdir -p -m 755 "$(dirname "$rfile")" + printf '%s' "$contents" >"$rfile" + + echo 'Restarting nftables' >&2 + systemctl reset-failed nftables + systemctl --no-block restart nftables +} + +gbmc_br_nft_hook() { + if [ "$change" = 'init' ]; then + gbmc_br_nft_init=1 + gbmc_br_nft_update + # Match only global IP addresses on the bridge that match the BMC prefix + # (:fdxx:). So 2002:af4:3480:2248:fd02:6345:3069:9186 would become + # a 2002:af4:3480:2248:fd00/72 rule. + elif [ "$change" = 'addr' -a "$intf" = 'gbmcbr' -a "$scope" = 'global' ] && + [[ "$fam" == 'inet6' && "$ip" =~ ^(([^:]+:){4}fd)[^:]{2}:.*$ ]] && + [[ "$flags" != *tentative* ]]; then + pfx="${BASH_REMATCH[1]}00::/72" + if [ "$action" = "add" -a "$pfx" != "$gbmc_br_nft_pfx" ]; then + gbmc_br_nft_pfx="$pfx" + gbmc_br_nft_update + fi + fi +} + +GBMC_IP_MONITOR_HOOKS+=(gbmc_br_nft_hook) + +gbmc_br_nft_lib=1 -- cgit v1.2.3