Gitiles
Code Review Sign In
gerrit.openbmc.org / mdmillerii / openbmc / 26da90befcb4633d7ab5ba2e54b8515e7402bdb9 / . / meta-google / recipes-google / ncsi / files / 50-gbmc-ncsi.rules.in
blob: 303dbca8c727d8a865f2e69b6763ffbd02c83a4b [file] [log] [blame]
William A. Kennington IIIafe167d2021-02-08 20:07:49 -0800[diff] [blame]1table inet filter {
2 chain ncsi_input {
3 type filter hook input priority 0; policy drop;
4 iifname != @NCSI_IF@ accept
5 ct state established accept
William A. Kennington III1ef795b2021-03-10 18:59:12 -0800[diff] [blame]6 ip6 daddr ff00::/8 goto ncsi_brd_input
7 ip6 daddr fe80::/64 goto ncsi_legacy_input
8 }
9 chain ncsi_gbmc_br_pub_input {
10 jump gbmc_br_pub_input
William A. Kennington IIIc7454fb2021-09-14 16:01:37 -0700[diff] [blame]11 jump ncsi_legacy_input
William A. Kennington III1ef795b2021-03-10 18:59:12 -0800[diff] [blame]12 reject
13 }
14 chain gbmc_br_pub_input {
15 }
16 chain ncsi_legacy_input {
William A. Kennington IIIa27086f2022-01-19 09:57:22 -0800[diff] [blame]17 jump ncsi_any_input
William A. Kennington IIIafe167d2021-02-08 20:07:49 -0800[diff] [blame]18 tcp dport 3959 accept
19 udp dport 3959 accept
20 tcp dport 3967 accept
21 udp dport 3967 accept
William A. Kennington III1ef795b2021-03-10 18:59:12 -0800[diff] [blame]22 }
23 chain ncsi_brd_input {
William A. Kennington IIIa27086f2022-01-19 09:57:22 -0800[diff] [blame]24 jump ncsi_any_input
25 }
26 chain ncsi_any_input {
William A. Kennington IIIafe167d2021-02-08 20:07:49 -0800[diff] [blame]27 icmpv6 type nd-neighbor-advert accept
28 icmpv6 type nd-neighbor-solicit accept
29 icmpv6 type nd-router-advert accept
30 }
William A. Kennington III5ba6d082021-03-10 19:24:22 -0800[diff] [blame]31 chain ncsi_forward {
William A. Kennington IIIcf1e7272021-05-12 00:57:41 -0700[diff] [blame]32 type filter hook forward priority 0; policy drop;
William A. Kennington III5ba6d082021-03-10 19:24:22 -0800[diff] [blame]33 iifname != @NCSI_IF@ accept
34 oifname != gbmcbr drop
35 ip6 daddr fdb5:0481:10ce::/64 drop
36 ip6 saddr fdb5:0481:10ce::/64 drop
37 }
William A. Kennington III96745092021-08-06 00:06:42 -0700[diff] [blame]38 chain ncsi_dhcp_input {
39 type filter hook input priority 0; policy drop;
40 iifname != ncsigbmc accept
41 ip6 nexthdr icmpv6 accept
42 udp dport 547 accept
43 }
William A. Kennington IIIafe167d2021-02-08 20:07:49 -0800[diff] [blame]44}