meta-google: gbmc-bridge: Fix nftables rules for local BMC address We want to use sets instead of separate rules for each address. This also ensures that packets coming from internal sources are matched as internal packets. Change-Id: Iff87b81c48c7491a74af1a2cead4cabcb56d81a0 Signed-off-by: William A. Kennington III <wak@google.com>

commit: cffcaa7ab580855b658fdd2509db166263821ea5 [log] [tgz]
author: William A. Kennington III <wak@google.com> Wed Sep 08 13:06:00 2021 -0700
committer: William A. Kennington III <wak@google.com> Sat Sep 11 21:28:14 2021 +0000
tree: bd7afe04b9ec8a9f6ae6c0b4549d65e74a6f5c00
parent: 31ff6c42f09573a25a0583fe1e0badab93e0476e [diff]
diff --git a/meta-google/recipes-google/networking/gbmc-bridge/50-gbmc-br.rules b/meta-google/recipes-google/networking/gbmc-bridge/50-gbmc-br.rules
index 1a5e633..475cc02 100644
--- a/meta-google/recipes-google/networking/gbmc-bridge/50-gbmc-br.rules
+++ b/meta-google/recipes-google/networking/gbmc-bridge/50-gbmc-br.rules

@@ -16,10 +16,18 @@
     jump gbmc_br_pub_input
     reject
   }
+  set gbmc_br_int_addrs {
+    type ipv6_addr;
+    flags interval
+    elements = {
+      ff00::/8,
+      fe80::/64,
+      fdb5:0481:10ce::/64,
+    }
+  }
   chain gbmc_br_int_input {
-    ip6 daddr ff00::/8 accept
-    ip6 daddr fe80::/64 accept
-    ip6 daddr fdb5:0481:10ce::/64 accept
+    ip6 daddr @gbmc_br_int_addrs accept
+    ip6 saddr @gbmc_br_int_addrs accept
   }
   chain gbmc_br_pub_input {
     ip6 nexthdr icmpv6 accept
commit	cffcaa7ab580855b658fdd2509db166263821ea5	[log] [tgz]
author	William A. Kennington III <wak@google.com>	Wed Sep 08 13:06:00 2021 -0700
committer	William A. Kennington III <wak@google.com>	Sat Sep 11 21:28:14 2021 +0000
tree	bd7afe04b9ec8a9f6ae6c0b4549d65e74a6f5c00
parent	31ff6c42f09573a25a0583fe1e0badab93e0476e [diff]