From b823f89c8cd0da678c78e242bf12c25f414d0697 Mon Sep 17 00:00:00 2001
From: "William A. Kennington III" <wak@google.com>
Date: Tue, 23 Nov 2021 20:54:56 -0800
Subject: meta-google: gbmc-ncsi-config: Fix deprecated address nft

The nft rules were not deleted in cases where the public addresses are
removed from the gbmc-br interface. This would create broken rules.

Change-Id: I22a88f1fb15ccbea49e586061ea8e93bbbfb1bc1
Signed-off-by: William A. Kennington III <wak@google.com>
---
 .../ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in   | 29 +++++++++++++---------
 1 file changed, 17 insertions(+), 12 deletions(-)

diff --git a/meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in
index 7b07025700..677ef28c37 100644
--- a/meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in
+++ b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in
@@ -29,6 +29,7 @@ gbmc_ncsi_br_deprecated_ips_update() {
     "${gbmc_ncsi_br_deprecated_ips_lastip:-(deleted)}" >&2
 
   local contents=
+  local nfcontents=
   if [ -n "$gbmc_ncsi_br_deprecated_ips_lastip" ]; then
     local pfx_bytes=()
     ip_to_bytes pfx_bytes "$gbmc_ncsi_br_deprecated_ips_lastip"
@@ -49,6 +50,16 @@ PreferredLifetime=0
 [Address]
 Address=$host_pfx/128
 PreferredLifetime=0
+EOF
+    read -r -d '' nfcontents <<EOF
+table inet filter {
+  chain ncsi_input {
+    ip6 saddr != $pfx/76 ip6 daddr $pfx/76 goto ncsi_gbmc_br_pub_input
+  }
+  chain ncsi_forward {
+    ip6 saddr != $pfx/76 ip6 daddr $pfx/76 accept
+  }
+}
 EOF
   fi
 
@@ -70,19 +81,13 @@ EOF
     networkctl reload && networkctl reconfigure @NCSI_IF@
   fi
 
-  read -r -d '' contents <<EOF
-table inet filter {
-  chain ncsi_input {
-    ip6 saddr != $pfx/76 ip6 daddr $pfx/76 goto ncsi_gbmc_br_pub_input
-  }
-  chain ncsi_forward {
-    ip6 saddr != $pfx/76 ip6 daddr $pfx/76 accept
-  }
-}
-EOF
-  rfile=/run/nftables/40-gbmc-ncsi-br.rules
+  local rfile=/run/nftables/40-gbmc-ncsi-br.rules
   mkdir -p -m 755 "$(dirname "$rfile")"
-  printf '%s' "$contents" >"$rfile"
+  if [ -z "$nfcontents" ]; then
+    rm -f "$rfile"
+  else
+    printf '%s' "$nfcontents" >"$rfile"
+  fi
   systemctl reset-failed nftables && systemctl --no-block restart nftables || true
 }
 
-- 
cgit v1.2.3