diff options
| author | William A. Kennington III <wak@google.com> | 2021-11-24 07:54:56 +0300 |
|---|---|---|
| committer | William A. Kennington III <wak@google.com> | 2021-12-07 01:28:57 +0300 |
| commit | b823f89c8cd0da678c78e242bf12c25f414d0697 (patch) | |
| tree | 5c6aadc05b418812d0d75a54a6126c451ae0a321 | |
| parent | 3dbea9350f23bbf2a4b3909e1d6bab157edba7fc (diff) | |
| download | openbmc-b823f89c8cd0da678c78e242bf12c25f414d0697.tar.xz | |
meta-google: gbmc-ncsi-config: Fix deprecated address nft
The nft rules were not deleted in cases where the public addresses are
removed from the gbmc-br interface. This would create broken rules.
Change-Id: I22a88f1fb15ccbea49e586061ea8e93bbbfb1bc1
Signed-off-by: William A. Kennington III <wak@google.com>
| -rw-r--r-- | meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in | 29 |
1 files changed, 17 insertions, 12 deletions
diff --git a/meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in index 7b07025700..677ef28c37 100644 --- a/meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in +++ b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in @@ -29,6 +29,7 @@ gbmc_ncsi_br_deprecated_ips_update() { "${gbmc_ncsi_br_deprecated_ips_lastip:-(deleted)}" >&2 local contents= + local nfcontents= if [ -n "$gbmc_ncsi_br_deprecated_ips_lastip" ]; then local pfx_bytes=() ip_to_bytes pfx_bytes "$gbmc_ncsi_br_deprecated_ips_lastip" @@ -50,6 +51,16 @@ PreferredLifetime=0 Address=$host_pfx/128 PreferredLifetime=0 EOF + read -r -d '' nfcontents <<EOF +table inet filter { + chain ncsi_input { + ip6 saddr != $pfx/76 ip6 daddr $pfx/76 goto ncsi_gbmc_br_pub_input + } + chain ncsi_forward { + ip6 saddr != $pfx/76 ip6 daddr $pfx/76 accept + } +} +EOF fi local file @@ -70,19 +81,13 @@ EOF networkctl reload && networkctl reconfigure @NCSI_IF@ fi - read -r -d '' contents <<EOF -table inet filter { - chain ncsi_input { - ip6 saddr != $pfx/76 ip6 daddr $pfx/76 goto ncsi_gbmc_br_pub_input - } - chain ncsi_forward { - ip6 saddr != $pfx/76 ip6 daddr $pfx/76 accept - } -} -EOF - rfile=/run/nftables/40-gbmc-ncsi-br.rules + local rfile=/run/nftables/40-gbmc-ncsi-br.rules mkdir -p -m 755 "$(dirname "$rfile")" - printf '%s' "$contents" >"$rfile" + if [ -z "$nfcontents" ]; then + rm -f "$rfile" + else + printf '%s' "$nfcontents" >"$rfile" + fi systemctl reset-failed nftables && systemctl --no-block restart nftables || true } |