diff options
author | William A. Kennington III <wak@google.com> | 2022-05-20 19:55:20 +0300 |
---|---|---|
committer | William A. Kennington III <wak@google.com> | 2022-05-27 02:02:20 +0300 |
commit | 757cba278a0aa5fa95f38ac80950e5d055e4b224 (patch) | |
tree | 5cc2cba9272a6fb5ab6d3c85d583cc0636fef4f5 | |
parent | 80a752812ce71d4cb663bc4524436327b8066070 (diff) | |
download | openbmc-757cba278a0aa5fa95f38ac80950e5d055e4b224.tar.xz |
meta-google: gbmc-ncsi-config: Only recognize impersonation
This is the only case where we need to add the rule, any addresses that
are BMC specific have a different workflow for assigning the firewall
rules.
Change-Id: If15c0cddb23044f774b55b8585446f923c76d7e8
Signed-off-by: William A. Kennington III <wak@google.com>
-rw-r--r-- | meta-google/recipes-google/ncsi/files/gbmc-ncsi-nft.sh.in | 26 |
1 files changed, 14 insertions, 12 deletions
diff --git a/meta-google/recipes-google/ncsi/files/gbmc-ncsi-nft.sh.in b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-nft.sh.in index 1f3ba25607..7f2a51642b 100644 --- a/meta-google/recipes-google/ncsi/files/gbmc-ncsi-nft.sh.in +++ b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-nft.sh.in @@ -12,7 +12,9 @@ # See the License for the specific language governing permissions and # limitations under the License. -[ -z "${gbmc_ncsi_nft_lib-}" ] || return +[ -n "${gbmc_ncsi_nft_lib-}" ] && return + +source /usr/share/network/lib.sh || exit gbmc_ncsi_nft_init= gbmc_ncsi_nft_lastip4= @@ -36,20 +38,13 @@ gbmc_ncsi_nft_update() { local ip6="$gbmc_ncsi_nft_lastip6" if [ -n "$ip6" ]; then - # Normalize the provided ipv6 address to the impersonated ipv6 address - local ip6_bytes=() - ip_to_bytes ip6_bytes "$ip6" - for (( i=8; i<16; ++i )); do - ip6_bytes[$i]=0 - done - ip6="$(ip_bytes_to_str ip6_bytes)" - contents+=" ip6 daddr $ip6/128 goto ncsi_legacy_input"$'\n' + contents+=" ip6 daddr $ip6 goto ncsi_legacy_input"$'\n' fi contents+=' }'$'\n' contents+='}'$'\n' - local rfile=/run/nftables/40-gbmc-ncsi-in.rules + local rfile=/run/nftables/30-gbmc-ncsi-in.rules mkdir -p -m 755 "$(dirname "$rfile")" printf '%s' "$contents" >"$rfile" @@ -60,10 +55,17 @@ gbmc_ncsi_nft_hook() { if [ "$change" = 'init' ]; then gbmc_ncsi_nft_init=1 gbmc_ncsi_nft_update - elif [ "$change" = 'addr' -a "$intf" = '@NCSI_IF@' -a "$scope" = 'global' ] && - [[ "$flags" != *deprecated* ]]; then + elif [ "$change" = 'addr' -a "$intf" = '@NCSI_IF@' -a "$scope" = 'global' ]; then if [ "$fam" = 'inet6' ]; then local -n lastip='gbmc_ncsi_nft_lastip6' + local pfx_bytes=() + ip_to_bytes pfx_bytes "$ip" || return + # We only want to allow a <pfx>:: address + for (( i = 8; i < 16; ++i )); do + if (( pfx_bytes[i] != 0 )); then + return + fi + done else local -n lastip='gbmc_ncsi_nft_lastip4' fi |