meta-google: gbmc-ncsi-config: Restrict NCSI input packets
Break down packets by their incoming address and ensure that we don't
allow packets to unintended destinations. Right now this is effectively
a no-op, but it will be necessary for BMC public addressing.
Change-Id: I39c16c3b9cd4c293df42b928674e39677d7834e9
Signed-off-by: William A. Kennington III <wak@google.com>
diff --git a/meta-google/recipes-google/ncsi/files/50-gbmc-ncsi.rules.in b/meta-google/recipes-google/ncsi/files/50-gbmc-ncsi.rules.in
index 33031f0..4ebe351 100644
--- a/meta-google/recipes-google/ncsi/files/50-gbmc-ncsi.rules.in
+++ b/meta-google/recipes-google/ncsi/files/50-gbmc-ncsi.rules.in
@@ -3,10 +3,23 @@
type filter hook input priority 0; policy drop;
iifname != @NCSI_IF@ accept
ct state established accept
+ ip6 daddr ff00::/8 goto ncsi_brd_input
+ ip6 daddr fe80::/64 goto ncsi_legacy_input
+ }
+ chain ncsi_gbmc_br_pub_input {
+ jump gbmc_br_pub_input
+ reject
+ }
+ chain gbmc_br_pub_input {
+ }
+ chain ncsi_legacy_input {
+ jump ncsi_brd_input
tcp dport 3959 accept
udp dport 3959 accept
tcp dport 3967 accept
udp dport 3967 accept
+ }
+ chain ncsi_brd_input {
icmpv6 type nd-neighbor-advert accept
icmpv6 type nd-neighbor-solicit accept
icmpv6 type nd-router-advert accept