meta-google: gbmc-ncsi-nft: More forward restriction We only want to allow <pfx>::fd... traffic info the machine area network from the outside world. Instead of just blocking internal network addresses from the outside, explicitly look at the prefix. Change-Id: Id0afef7c813aef381e81b8fcfb570778f529f5dc Signed-off-by: William A. Kennington III <wak@google.com>

commit: cf1e7270226fd27f72d9c70caf422376a8a14404 [log] [tgz]
author: William A. Kennington III <wak@google.com> Wed May 12 00:57:41 2021 -0700
committer: William A. Kennington III <wak@google.com> Wed May 12 20:17:15 2021 +0000
tree: 8da646df72ac5dd225ab076f9dda40fdf85d1a8b
parent: a7a7ed08b2d02ef746631894cfae6e6b00a41fef [diff] [blame]
diff --git a/meta-google/recipes-google/ncsi/files/50-gbmc-ncsi.rules.in b/meta-google/recipes-google/ncsi/files/50-gbmc-ncsi.rules.in
index 70f14ae..938dca3 100644
--- a/meta-google/recipes-google/ncsi/files/50-gbmc-ncsi.rules.in
+++ b/meta-google/recipes-google/ncsi/files/50-gbmc-ncsi.rules.in

@@ -25,7 +25,7 @@
         icmpv6 type nd-router-advert accept
     }
     chain ncsi_forward {
-        type filter hook forward priority 0; policy accept;
+        type filter hook forward priority 0; policy drop;
         iifname != @NCSI_IF@ accept
         oifname != gbmcbr drop
         ip6 daddr fdb5:0481:10ce::/64 drop
commit	cf1e7270226fd27f72d9c70caf422376a8a14404	[log] [tgz]
author	William A. Kennington III <wak@google.com>	Wed May 12 00:57:41 2021 -0700
committer	William A. Kennington III <wak@google.com>	Wed May 12 20:17:15 2021 +0000
tree	8da646df72ac5dd225ab076f9dda40fdf85d1a8b
parent	a7a7ed08b2d02ef746631894cfae6e6b00a41fef [diff] [blame]