meta-google: gbmc-nic-config: Add recipe
This makes it possible for a machine to specify `GBMC_EXT_NICS` in the
machine configuration, signifying that it should treat an interface as
an external interface to the machine. It will then perform DHCP and
acquire gateway information and route all subordinate traffic out this
interface.
Change-Id: I75b0747b4e35bf6717c9a33a1f96a11beb425bb9
Signed-off-by: William A. Kennington III <wak@google.com>
diff --git a/meta-google/recipes-google/networking/gbmc-nic-config.bb b/meta-google/recipes-google/networking/gbmc-nic-config.bb
new file mode 100644
index 0000000..e804e26
--- /dev/null
+++ b/meta-google/recipes-google/networking/gbmc-nic-config.bb
@@ -0,0 +1,79 @@
+SUMMARY = "Configured gBMC non-NCSI interface"
+PR = "r1"
+LICENSE = "Apache-2.0"
+LIC_FILES_CHKSUM = "file://${COREBASE}/meta/files/common-licenses/Apache-2.0;md5=89aea4e17d99a7cacdbeed46a0096b10"
+
+GBMC_EXT_NICS ?= ""
+GBMC_DHCP_RELAY ??= "${@'' if int(d.getVar('FLASH_SIZE')) < 65536 else '1'}"
+
+inherit systemd
+
+SRC_URI += " \
+ file://50-gbmc-nic.rules \
+ file://50-gbmc-nic.rules.in \
+ file://-bmc-nic.network.in \
+ file://gbmc-nic-neigh.sh.in \
+ file://gbmc-nic-ra.sh \
+ file://gbmc-nic-ra@.service \
+ ${@'' if d.getVar('GBMC_DHCP_RELAY') != '1' else 'file://-bmc-gbmcbrnicdhcp.netdev'} \
+ ${@'' if d.getVar('GBMC_DHCP_RELAY') != '1' else 'file://-bmc-gbmcbrnicdhcp.network'} \
+ ${@'' if d.getVar('GBMC_DHCP_RELAY') != '1' else 'file://-bmc-gbmcnicdhcp.netdev'} \
+ ${@'' if d.getVar('GBMC_DHCP_RELAY') != '1' else 'file://-bmc-gbmcnicdhcp.network'} \
+ ${@'' if d.getVar('GBMC_DHCP_RELAY') != '1' else 'file://gbmc-nic-dhcrelay.service.in'} \
+ "
+S = "${WORKDIR}"
+
+FILES:${PN} += " \
+ ${systemd_unitdir}/network \
+ ${sysconfdir}/nftables \
+ ${systemd_system_unitdir} \
+ ${datadir}/gbmc-ip-monitor \
+ "
+
+RDEPENDS:${PN}:append = " \
+ bash \
+ gbmc-ip-monitor \
+ gbmc-net-common \
+ nftables-systemd \
+ "
+
+do_install() {
+ netdir=${D}${systemd_unitdir}/network
+ install -d -m0755 $netdir
+ nftdir=${D}${sysconfdir}/nftables
+ install -d -m0755 $nftdir
+ unitdir=${D}${systemd_system_unitdir}
+ install -d -m0755 $unitdir
+ wantdir=$unitdir/multi-user.target.wants
+ install -d -m0755 $wantdir
+
+ install -d -m0755 ${D}${libexecdir}
+ install -m0755 ${WORKDIR}/gbmc-nic-ra.sh ${D}${libexecdir}/
+ install -m0644 ${WORKDIR}/gbmc-nic-ra@.service $unitdir/
+
+ mondir=${D}${datadir}/gbmc-ip-monitor
+ install -d -m0755 $mondir
+ sed 's,@IFS@,${GBMC_EXT_NICS},g' <${WORKDIR}/gbmc-nic-neigh.sh.in \
+ >$mondir/gbmc-nic-neigh.sh
+
+ uppers=
+ for intf in ${GBMC_EXT_NICS}; do
+ sed "s,@IF@,$intf,g" <${WORKDIR}/50-gbmc-nic.rules.in >$nftdir/50-gbmc-$intf.rules
+ sed "s,@IF@,$intf,g" <${WORKDIR}/-bmc-nic.network.in >$netdir/-bmc-$intf.network
+ uppers="$uppers -u ff02::1:2%%$intf"
+ ln -sv ../gbmc-nic-ra@.service $wantdir/gbmc-nic-ra@$intf.service
+ done
+
+ if [ "${GBMC_DHCP_RELAY}" = 1 ]; then
+ install -m0644 ${WORKDIR}/-bmc-gbmcbrnicdhcp.network $netdir/
+ install -m0644 ${WORKDIR}/-bmc-gbmcbrnicdhcp.netdev $netdir/
+ install -m0644 ${WORKDIR}/-bmc-gbmcnicdhcp.network $netdir/
+ install -m0644 ${WORKDIR}/-bmc-gbmcnicdhcp.netdev $netdir/
+ install -m0644 ${WORKDIR}/50-gbmc-nic.rules $nftdir/
+
+ sed "s,@UPPERS@,$uppers,g" <${WORKDIR}/gbmc-nic-dhcrelay.service.in \
+ >$unitdir/gbmc-nic-dhcrelay.service
+ ln -sv ../gbmc-nic-dhcrelay.service $wantdir/
+ fi
+}
+
diff --git a/meta-google/recipes-google/networking/gbmc-nic-config/-bmc-gbmcbrnicdhcp.netdev b/meta-google/recipes-google/networking/gbmc-nic-config/-bmc-gbmcbrnicdhcp.netdev
new file mode 100644
index 0000000..1d9ca4a
--- /dev/null
+++ b/meta-google/recipes-google/networking/gbmc-nic-config/-bmc-gbmcbrnicdhcp.netdev
@@ -0,0 +1,5 @@
+[NetDev]
+Name=gbmcbrnicdhcp
+Kind=veth
+[Peer]
+Name=gbmcnicdhcp
diff --git a/meta-google/recipes-google/networking/gbmc-nic-config/-bmc-gbmcbrnicdhcp.network b/meta-google/recipes-google/networking/gbmc-nic-config/-bmc-gbmcbrnicdhcp.network
new file mode 100644
index 0000000..73212db
--- /dev/null
+++ b/meta-google/recipes-google/networking/gbmc-nic-config/-bmc-gbmcbrnicdhcp.network
@@ -0,0 +1,4 @@
+[Match]
+Name=gbmcbrnicdhcp
+[Network]
+Bridge=gbmcbr
diff --git a/meta-google/recipes-google/networking/gbmc-nic-config/-bmc-gbmcnicdhcp.netdev b/meta-google/recipes-google/networking/gbmc-nic-config/-bmc-gbmcnicdhcp.netdev
new file mode 100644
index 0000000..24a78fb
--- /dev/null
+++ b/meta-google/recipes-google/networking/gbmc-nic-config/-bmc-gbmcnicdhcp.netdev
@@ -0,0 +1,5 @@
+[NetDev]
+Name=gbmcnicdhcp
+Kind=veth
+[Peer]
+Name=gbmcbrnicdhcp
diff --git a/meta-google/recipes-google/networking/gbmc-nic-config/-bmc-gbmcnicdhcp.network b/meta-google/recipes-google/networking/gbmc-nic-config/-bmc-gbmcnicdhcp.network
new file mode 100644
index 0000000..1eae55a
--- /dev/null
+++ b/meta-google/recipes-google/networking/gbmc-nic-config/-bmc-gbmcnicdhcp.network
@@ -0,0 +1,9 @@
+[Match]
+Name=gbmcnicdhcp
+[Network]
+DHCP=false
+IPv6AcceptRA=false
+LLMNR=false
+MulticastDNS=false
+LinkLocalAddressing=ipv6
+Address=fdb5:0481:10ce::3/64
diff --git a/meta-google/recipes-google/networking/gbmc-nic-config/-bmc-nic.network.in b/meta-google/recipes-google/networking/gbmc-nic-config/-bmc-nic.network.in
new file mode 100644
index 0000000..08c2eee
--- /dev/null
+++ b/meta-google/recipes-google/networking/gbmc-nic-config/-bmc-nic.network.in
@@ -0,0 +1,8 @@
+[Match]
+Name=@IF@
+[Network]
+DHCP=false
+IPv6AcceptRA=false
+LLMNR=false
+MulticastDNS=false
+LinkLocalAddressing=ipv6
diff --git a/meta-google/recipes-google/networking/gbmc-nic-config/50-gbmc-nic.rules b/meta-google/recipes-google/networking/gbmc-nic-config/50-gbmc-nic.rules
new file mode 100644
index 0000000..cbedfb9
--- /dev/null
+++ b/meta-google/recipes-google/networking/gbmc-nic-config/50-gbmc-nic.rules
@@ -0,0 +1,8 @@
+table inet filter {
+ chain nic_dhcp_input {
+ type filter hook input priority 0; policy drop;
+ iifname != gbmcnicdhcp accept
+ ip6 nexthdr icmpv6 accept
+ udp dport 547 accept
+ }
+}
diff --git a/meta-google/recipes-google/networking/gbmc-nic-config/50-gbmc-nic.rules.in b/meta-google/recipes-google/networking/gbmc-nic-config/50-gbmc-nic.rules.in
new file mode 100644
index 0000000..feba64d
--- /dev/null
+++ b/meta-google/recipes-google/networking/gbmc-nic-config/50-gbmc-nic.rules.in
@@ -0,0 +1,19 @@
+table inet filter {
+ chain @IF@_input {
+ type filter hook input priority 0; policy drop;
+ iifname != @IF@ accept
+ ct state established accept
+ udp dport 547 accept
+ jump gbmc_br_pub_input
+ }
+ chain gbmc_br_pub_input {
+ ip6 nexthdr icmpv6 accept
+ }
+ chain @IF@_forward {
+ type filter hook forward priority 0; policy drop;
+ iifname != @IF@ accept
+ oifname != gbmcbr drop
+ ip6 daddr fdb5:0481:10ce::/64 drop
+ ip6 saddr fdb5:0481:10ce::/64 drop
+ }
+}
diff --git a/meta-google/recipes-google/networking/gbmc-nic-config/gbmc-nic-dhcrelay.service.in b/meta-google/recipes-google/networking/gbmc-nic-config/gbmc-nic-dhcrelay.service.in
new file mode 100644
index 0000000..8571ae1
--- /dev/null
+++ b/meta-google/recipes-google/networking/gbmc-nic-config/gbmc-nic-dhcrelay.service.in
@@ -0,0 +1,13 @@
+[Unit]
+Description=gBMC DHCP Relay Agent Daemon
+After=network.target
+StartLimitIntervalSec=10
+StartLimitBurst=3
+
+[Service]
+Restart=always
+RestartSec=5
+ExecStart=/usr/sbin/dhcrelay -d --no-pid -l gbmcnicdhcp @UPPERS@
+
+[Install]
+WantedBy=multi-user.target
diff --git a/meta-google/recipes-google/networking/gbmc-nic-config/gbmc-nic-neigh.sh.in b/meta-google/recipes-google/networking/gbmc-nic-config/gbmc-nic-neigh.sh.in
new file mode 100644
index 0000000..5f3f47f
--- /dev/null
+++ b/meta-google/recipes-google/networking/gbmc-nic-config/gbmc-nic-neigh.sh.in
@@ -0,0 +1,99 @@
+#!/bin/bash
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+[[ -n ${gbmc_nic_neigh_lib-} ]] && return
+
+# shellcheck source=meta-google/recipes-google/networking/network-sh/lib.sh
+source /usr/share/network/lib.sh || exit
+
+gbmc_nic_neigh_intfs=(@IFS@)
+gbmc_nic_neigh_addr=
+
+gbmc_nic_neigh_set() {
+ local act="$1"
+ local ip="$2"
+
+ echo "gBMC NIC Neigh $act $ip: ${gbmc_nic_neigh_intfs[*]}" >&2
+
+ local intf
+ local failed_intfs=()
+ for intf in "${gbmc_nic_neigh_intfs[@]}"; do
+ # In case we don't have a base network file, make one
+ # this is intentionally 00- as it will not preceed /etc/systemd/network/00-*
+ # or /lib/systemd/network/-* files.
+ local file=/run/systemd/network/00-bmc-$intf.network
+ printf '[Match]\nName=%s\n[Network]\nDHCP=false\nIPv6AcceptRA=false\nLinkLocalAddressing=yes' \
+ "$intf" >"$file"
+
+ # Override any existing gateway information within files
+ # Make sure we cover `00-*` and `-*` files
+ for file in /run/systemd/network/{00,}-bmc-"$intf".network; do
+ mkdir -p "$file.d"
+ if [[ "$act" == add ]]; then
+ printf '[Network]\nIPv6ProxyNDP=yes\nIPv6ProxyNDPAddress=%s\n' \
+ "$ip" >"$file.d"/10-nic-neigh.conf
+ else
+ rm -f "$file.d"/10-nic-neigh.conf
+ fi
+ done
+
+ sysctl net.ipv6.conf."$intf".proxy_ndp=1 >/dev/null && \
+ ip -6 neigh "$act" proxy "$ip" dev "$intf" || \
+ failed_intfs+=("$intf")
+ done
+ [[ "$act" == del ]] && return
+ if (( "${#failed_intfs[@]}" > 0 )); then
+ networkctl reload || true
+ fi
+ for intf in "${failed_intfs[@]}"; do
+ networkctl reconfigure "$intf" || true
+ done
+}
+
+gbmc_nic_neigh_hook() {
+ # shellcheck disable=SC2154
+ if [[ $change == addr && $intf == gbmcbr && $scope == global ]] &&
+ [[ $fam == inet6 && $flags != *tentative* ]]; then
+ local ip_bytes=()
+ if ! ip_to_bytes ip_bytes "$ip"; then
+ echo "gBMC Bridge Ensure RA Invalid IP: $ip" >&2
+ return 1
+ fi
+ # Ignore ULAs
+ if (( (ip_bytes[0] & 0xfe) == 0xfc )); then
+ return 0
+ fi
+ # Addresses must be /64 to the upstack switch
+ for (( i = 8; i < 16; ++i )); do
+ if (( ip_bytes[i] != 0 )); then
+ return 0
+ fi
+ done
+ if [[ $action == add && "$gbmc_nic_neigh_addr" != "$ip" ]]; then
+ if [ -n "$gbmc_nic_neigh_addr" ]; then
+ gbmc_nic_neigh_set del "$gbmc_nic_neigh_addr"
+ fi
+ gbmc_nic_neigh_addr="$ip"
+ gbmc_nic_neigh_set add "$ip"
+ elif [[ $action == del && "$gbmc_nic_neigh_addr" == "$ip" ]]; then
+ gbmc_nic_neigh_addr=
+ gbmc_nic_neigh_set del "$ip"
+ fi
+ fi
+}
+
+GBMC_IP_MONITOR_HOOKS+=(gbmc_nic_neigh_hook)
+
+gbmc_nic_neigh_lib=1
diff --git a/meta-google/recipes-google/networking/gbmc-nic-config/gbmc-nic-ra.sh b/meta-google/recipes-google/networking/gbmc-nic-config/gbmc-nic-ra.sh
new file mode 100755
index 0000000..98239c3
--- /dev/null
+++ b/meta-google/recipes-google/networking/gbmc-nic-config/gbmc-nic-ra.sh
@@ -0,0 +1,35 @@
+#!/bin/bash
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+update_rtr() {
+ default_update_rtr "$@"
+}
+
+update_fqdn() {
+ true
+}
+
+update_pfx() {
+ true
+}
+
+RA_IF=$1
+IP_OFFSET=0
+# This is guaranteed to be closer to the ToR than NCSI, for reliability
+# and bandwidth we want to prefer this path.
+ROUTE_METRIC=800
+
+# shellcheck source=meta-google/recipes-google/networking/gbmc-net-common/gbmc-ra.sh
+source /usr/share/gbmc-ra.sh || exit
diff --git a/meta-google/recipes-google/networking/gbmc-nic-config/gbmc-nic-ra@.service b/meta-google/recipes-google/networking/gbmc-nic-config/gbmc-nic-ra@.service
new file mode 100644
index 0000000..54d77df
--- /dev/null
+++ b/meta-google/recipes-google/networking/gbmc-nic-config/gbmc-nic-ra@.service
@@ -0,0 +1,13 @@
+[Unit]
+Description=gBMC %i RA Discovery
+After=network.target
+StartLimitIntervalSec=10
+StartLimitBurst=3
+
+[Service]
+Restart=always
+RestartSec=5
+ExecStart=/usr/libexec/gbmc-nic-ra.sh %i
+
+[Install]
+WantedBy=multi-user.target