From cf1e7270226fd27f72d9c70caf422376a8a14404 Mon Sep 17 00:00:00 2001
From: "William A. Kennington III" <wak@google.com>
Date: Wed, 12 May 2021 00:57:41 -0700
Subject: meta-google: gbmc-ncsi-nft: More forward restriction

We only want to allow <pfx>::fd... traffic info the machine area network
from the outside world. Instead of just blocking internal network
addresses from the outside, explicitly look at the prefix.

Change-Id: Id0afef7c813aef381e81b8fcfb570778f529f5dc
Signed-off-by: William A. Kennington III <wak@google.com>
---
 meta-google/recipes-google/ncsi/files/50-gbmc-ncsi.rules.in | 2 +-
 meta-google/recipes-google/ncsi/files/gbmc-ncsi-nft.sh.in   | 5 +++++
 2 files changed, 6 insertions(+), 1 deletion(-)

(limited to 'meta-google')

diff --git a/meta-google/recipes-google/ncsi/files/50-gbmc-ncsi.rules.in b/meta-google/recipes-google/ncsi/files/50-gbmc-ncsi.rules.in
index 70f14ae595..938dca34be 100644
--- a/meta-google/recipes-google/ncsi/files/50-gbmc-ncsi.rules.in
+++ b/meta-google/recipes-google/ncsi/files/50-gbmc-ncsi.rules.in
@@ -25,7 +25,7 @@ table inet filter {
         icmpv6 type nd-router-advert accept
     }
     chain ncsi_forward {
-        type filter hook forward priority 0; policy accept;
+        type filter hook forward priority 0; policy drop;
         iifname != @NCSI_IF@ accept
         oifname != gbmcbr drop
         ip6 daddr fdb5:0481:10ce::/64 drop
diff --git a/meta-google/recipes-google/ncsi/files/gbmc-ncsi-nft.sh.in b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-nft.sh.in
index 727c8b643d..93d1a4ad2f 100644
--- a/meta-google/recipes-google/ncsi/files/gbmc-ncsi-nft.sh.in
+++ b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-nft.sh.in
@@ -58,6 +58,11 @@ gbmc_ncsi_nft_update() {
     fi
   fi
 
+  contents+='    }'$'\n'
+  contents+='    chain ncsi_forward {'$'\n'
+  if [ -n "$pfx" ]; then
+    contents+="        ip6 saddr != $pfx/72 ip6 daddr $pfx/72 accept"$'\n'
+  fi
   contents+='    }'$'\n'
   contents+='}'$'\n'
 
-- 
cgit v1.2.3