meta-google: gbmc-bridge: install nft rules for traffic redirection
On bmc connects to multiple CNs, services may want to tell the source of
the traffic. This new package is to install the rules accordingly.
Change-Id: I5df17151cb5056386b5eafdcd4ac1ceb3f37e298
Signed-off-by: Yuxiao Zhang <yuxiaozhang@google.com>
diff --git a/meta-google/recipes-google/networking/gbmc-bridge.bb b/meta-google/recipes-google/networking/gbmc-bridge.bb
index d5ee98f..3245eb2 100644
--- a/meta-google/recipes-google/networking/gbmc-bridge.bb
+++ b/meta-google/recipes-google/networking/gbmc-bridge.bb
@@ -28,6 +28,7 @@
file://gbmc-br-lib.sh \
file://gbmc-br-load-ip.service \
file://gbmc-start-dhcp.sh \
+ file://50-gbmc-br-cn-redirect.rules \
"
FILES:${PN}:append = " \
@@ -113,6 +114,7 @@
nftables_dir=${D}${sysconfdir}/nftables
install -d -m0755 "$nftables_dir"
install -m0644 ${WORKDIR}/50-gbmc-br.rules $nftables_dir/
+ install -m0644 ${WORKDIR}/50-gbmc-br-cn-redirect.rules $nftables_dir/
avahi_dir=${D}${sysconfdir}/avahi/services
install -d -m 0755 "$avahi_dir"
diff --git a/meta-google/recipes-google/networking/gbmc-bridge/50-gbmc-br-cn-redirect.rules b/meta-google/recipes-google/networking/gbmc-bridge/50-gbmc-br-cn-redirect.rules
new file mode 100644
index 0000000..61e8b44
--- /dev/null
+++ b/meta-google/recipes-google/networking/gbmc-bridge/50-gbmc-br-cn-redirect.rules
@@ -0,0 +1,30 @@
+table bridge filter {
+ chain gbmcbr_mark {
+ type filter hook prerouting priority -300;
+ iifname == "cn0" mark set 1 return
+ iifname == "cn1" mark set 2 return
+ }
+}
+
+table inet raw {
+ chain gbmcbr_nat_input {
+ type filter hook prerouting priority -300;
+ # client should only use 10166 for this purpose and
+ # it should NOT use service port directly
+ # otherwise drop later if the packets goes into input
+ tcp dport 10167-10168 mark set 0xff
+ mark 1 tcp dport 10166 tcp dport set 10167 notrack
+ mark 2 tcp dport 10166 tcp dport set 10168 notrack
+ }
+ chain gbmcbr_nat_output {
+ type filter hook output priority -300;
+ tcp sport 10167 tcp sport set 10166 notrack
+ tcp sport 10168 tcp sport set 10166 notrack
+ }
+}
+
+table inet filter {
+ chain gbmc_br_redir_input {
+ mark 0xff drop
+ }
+}
diff --git a/meta-google/recipes-google/networking/gbmc-bridge/50-gbmc-br.rules b/meta-google/recipes-google/networking/gbmc-bridge/50-gbmc-br.rules
index 9d82e61..5bc58f0 100644
--- a/meta-google/recipes-google/networking/gbmc-bridge/50-gbmc-br.rules
+++ b/meta-google/recipes-google/networking/gbmc-bridge/50-gbmc-br.rules
@@ -13,6 +13,7 @@
type filter hook input priority 0; policy drop;
iifname != gbmcbr accept
ct state established accept
+ jump gbmc_br_redir_input
jump gbmc_br_int_input
jump gbmc_br_pub_input
reject