Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / openbmc / 757cba278a0aa5fa95f38ac80950e5d055e4b224^! / .
commit757cba278a0aa5fa95f38ac80950e5d055e4b224[log] [tgz]
authorWilliam A. Kennington III <wak@google.com>Fri May 20 09:55:20 2022 -0700
committerWilliam A. Kennington III <wak@google.com>Thu May 26 23:02:20 2022 +0000
tree5cc2cba9272a6fb5ab6d3c85d583cc0636fef4f5
parent80a752812ce71d4cb663bc4524436327b8066070 [diff]
meta-google: gbmc-ncsi-config: Only recognize impersonation

This is the only case where we need to add the rule, any addresses that
are BMC specific have a different workflow for assigning the firewall
rules.

Change-Id: If15c0cddb23044f774b55b8585446f923c76d7e8
Signed-off-by: William A. Kennington III <wak@google.com>

diff --git a/meta-google/recipes-google/ncsi/files/gbmc-ncsi-nft.sh.in b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-nft.sh.in
index 1f3ba25..7f2a516 100644
--- a/meta-google/recipes-google/ncsi/files/gbmc-ncsi-nft.sh.in
+++ b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-nft.sh.in

@@ -12,7 +12,9 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-[ -z "${gbmc_ncsi_nft_lib-}" ] || return
+[ -n "${gbmc_ncsi_nft_lib-}" ] && return
+
+source /usr/share/network/lib.sh || exit
 
 gbmc_ncsi_nft_init=
 gbmc_ncsi_nft_lastip4=
@@ -36,20 +38,13 @@
 
   local ip6="$gbmc_ncsi_nft_lastip6"
   if [ -n "$ip6" ]; then
-    # Normalize the provided ipv6 address to the impersonated ipv6 address
-    local ip6_bytes=()
-    ip_to_bytes ip6_bytes "$ip6"
-    for (( i=8; i<16; ++i )); do
-      ip6_bytes[$i]=0
-    done
-    ip6="$(ip_bytes_to_str ip6_bytes)"
-    contents+="        ip6 daddr $ip6/128 goto ncsi_legacy_input"$'\n'
+    contents+="        ip6 daddr $ip6 goto ncsi_legacy_input"$'\n'
   fi
 
   contents+='    }'$'\n'
   contents+='}'$'\n'
 
-  local rfile=/run/nftables/40-gbmc-ncsi-in.rules
+  local rfile=/run/nftables/30-gbmc-ncsi-in.rules
   mkdir -p -m 755 "$(dirname "$rfile")"
   printf '%s' "$contents" >"$rfile"
 
@@ -60,10 +55,17 @@
   if [ "$change" = 'init' ]; then
     gbmc_ncsi_nft_init=1
     gbmc_ncsi_nft_update
-  elif [ "$change" = 'addr' -a "$intf" = '@NCSI_IF@' -a "$scope" = 'global' ] &&
-     [[ "$flags" != *deprecated* ]]; then
+  elif [ "$change" = 'addr' -a "$intf" = '@NCSI_IF@' -a "$scope" = 'global' ]; then
     if [ "$fam" = 'inet6' ]; then
       local -n lastip='gbmc_ncsi_nft_lastip6'
+      local pfx_bytes=()
+      ip_to_bytes pfx_bytes "$ip" || return
+      # We only want to allow a <pfx>:: address
+      for (( i = 8; i < 16; ++i )); do
+        if (( pfx_bytes[i] != 0 )); then
+          return
+        fi
+      done
     else
       local -n lastip='gbmc_ncsi_nft_lastip4'
     fi