meta-google: gbmc-ncsi-config: Fix deprecated address nft
The nft rules were not deleted in cases where the public addresses are
removed from the gbmc-br interface. This would create broken rules.
Change-Id: I22a88f1fb15ccbea49e586061ea8e93bbbfb1bc1
Signed-off-by: William A. Kennington III <wak@google.com>
diff --git a/meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in
index 7b07025..677ef28 100644
--- a/meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in
+++ b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in
@@ -29,6 +29,7 @@
"${gbmc_ncsi_br_deprecated_ips_lastip:-(deleted)}" >&2
local contents=
+ local nfcontents=
if [ -n "$gbmc_ncsi_br_deprecated_ips_lastip" ]; then
local pfx_bytes=()
ip_to_bytes pfx_bytes "$gbmc_ncsi_br_deprecated_ips_lastip"
@@ -50,6 +51,16 @@
Address=$host_pfx/128
PreferredLifetime=0
EOF
+ read -r -d '' nfcontents <<EOF
+table inet filter {
+ chain ncsi_input {
+ ip6 saddr != $pfx/76 ip6 daddr $pfx/76 goto ncsi_gbmc_br_pub_input
+ }
+ chain ncsi_forward {
+ ip6 saddr != $pfx/76 ip6 daddr $pfx/76 accept
+ }
+}
+EOF
fi
local file
@@ -70,19 +81,13 @@
networkctl reload && networkctl reconfigure @NCSI_IF@
fi
- read -r -d '' contents <<EOF
-table inet filter {
- chain ncsi_input {
- ip6 saddr != $pfx/76 ip6 daddr $pfx/76 goto ncsi_gbmc_br_pub_input
- }
- chain ncsi_forward {
- ip6 saddr != $pfx/76 ip6 daddr $pfx/76 accept
- }
-}
-EOF
- rfile=/run/nftables/40-gbmc-ncsi-br.rules
+ local rfile=/run/nftables/40-gbmc-ncsi-br.rules
mkdir -p -m 755 "$(dirname "$rfile")"
- printf '%s' "$contents" >"$rfile"
+ if [ -z "$nfcontents" ]; then
+ rm -f "$rfile"
+ else
+ printf '%s' "$nfcontents" >"$rfile"
+ fi
systemctl reset-failed nftables && systemctl --no-block restart nftables || true
}