Gitiles
Code Review Sign In
gerrit.openbmc.org / mdmillerii / openbmc / c7454fb1c54ec6281a42b7cdb29e746b808eb271 / . / meta-google / recipes-google / ncsi / files / 50-gbmc-ncsi.rules.in
blob: e2ade6e5bc93c9c6246b838ed85b38e18d33fb99 [file] [log] [blame]
William A. Kennington IIIafe167d2021-02-08 20:07:49 -0800[diff] [blame]1table inet filter {
2 chain ncsi_input {
3 type filter hook input priority 0; policy drop;
4 iifname != @NCSI_IF@ accept
5 ct state established accept
William A. Kennington III1ef795b2021-03-10 18:59:12 -0800[diff] [blame]6 ip6 daddr ff00::/8 goto ncsi_brd_input
7 ip6 daddr fe80::/64 goto ncsi_legacy_input
8 }
9 chain ncsi_gbmc_br_pub_input {
10 jump gbmc_br_pub_input
William A. Kennington IIIc7454fb2021-09-14 16:01:37 -0700[diff] [blame^]11 jump ncsi_legacy_input
William A. Kennington III1ef795b2021-03-10 18:59:12 -0800[diff] [blame]12 reject
13 }
14 chain gbmc_br_pub_input {
15 }
16 chain ncsi_legacy_input {
17 jump ncsi_brd_input
William A. Kennington IIIafe167d2021-02-08 20:07:49 -0800[diff] [blame]18 tcp dport 3959 accept
19 udp dport 3959 accept
20 tcp dport 3967 accept
21 udp dport 3967 accept
William A. Kennington III1ef795b2021-03-10 18:59:12 -0800[diff] [blame]22 }
23 chain ncsi_brd_input {
William A. Kennington IIIafe167d2021-02-08 20:07:49 -0800[diff] [blame]24 icmpv6 type nd-neighbor-advert accept
25 icmpv6 type nd-neighbor-solicit accept
26 icmpv6 type nd-router-advert accept
27 }
William A. Kennington III5ba6d082021-03-10 19:24:22 -0800[diff] [blame]28 chain ncsi_forward {
William A. Kennington IIIcf1e7272021-05-12 00:57:41 -0700[diff] [blame]29 type filter hook forward priority 0; policy drop;
William A. Kennington III5ba6d082021-03-10 19:24:22 -0800[diff] [blame]30 iifname != @NCSI_IF@ accept
31 oifname != gbmcbr drop
32 ip6 daddr fdb5:0481:10ce::/64 drop
33 ip6 saddr fdb5:0481:10ce::/64 drop
34 }
William A. Kennington III96745092021-08-06 00:06:42 -0700[diff] [blame]35 chain ncsi_dhcp_input {
36 type filter hook input priority 0; policy drop;
37 iifname != ncsigbmc accept
38 ip6 nexthdr icmpv6 accept
39 udp dport 547 accept
40 }
William A. Kennington IIIafe167d2021-02-08 20:07:49 -0800[diff] [blame]41}