Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / openbmc / refs/heads/master / . / meta-google / recipes-google / ncsi / files / 50-gbmc-ncsi.rules.in
blob: d0f883ead7a34230d931eb432f03da876948af40 [file] [log] [blame]
William A. Kennington IIIafe167d2021-02-08 20:07:49 -0800[diff] [blame]1table inet filter {
2 chain ncsi_input {
3 type filter hook input priority 0; policy drop;
4 iifname != @NCSI_IF@ accept
5 ct state established accept
William A. Kennington III1ef795b2021-03-10 18:59:12 -0800[diff] [blame]6 ip6 daddr ff00::/8 goto ncsi_brd_input
7 ip6 daddr fe80::/64 goto ncsi_legacy_input
8 }
9 chain ncsi_gbmc_br_pub_input {
10 jump gbmc_br_pub_input
William A. Kennington IIIc7454fb2021-09-14 16:01:37 -0700[diff] [blame]11 jump ncsi_legacy_input
William A. Kennington III1ef795b2021-03-10 18:59:12 -0800[diff] [blame]12 reject
13 }
14 chain gbmc_br_pub_input {
William A. Kennington III9326df82022-05-20 09:43:02 -0700[diff] [blame]15 ip6 nexthdr icmpv6 accept
William A. Kennington III1ef795b2021-03-10 18:59:12 -0800[diff] [blame]16 }
17 chain ncsi_legacy_input {
William A. Kennington IIIa27086f2022-01-19 09:57:22 -0800[diff] [blame]18 jump ncsi_any_input
William A. Kennington IIIafe167d2021-02-08 20:07:49 -0800[diff] [blame]19 tcp dport 3959 accept
20 udp dport 3959 accept
21 tcp dport 3967 accept
22 udp dport 3967 accept
William A. Kennington III1ef795b2021-03-10 18:59:12 -0800[diff] [blame]23 }
24 chain ncsi_brd_input {
William A. Kennington IIIa27086f2022-01-19 09:57:22 -0800[diff] [blame]25 jump ncsi_any_input
26 }
27 chain ncsi_any_input {
William A. Kennington IIIafe167d2021-02-08 20:07:49 -0800[diff] [blame]28 icmpv6 type nd-neighbor-advert accept
29 icmpv6 type nd-neighbor-solicit accept
30 icmpv6 type nd-router-advert accept
31 }
William A. Kennington III5ba6d082021-03-10 19:24:22 -0800[diff] [blame]32 chain ncsi_forward {
William A. Kennington IIIcf1e7272021-05-12 00:57:41 -0700[diff] [blame]33 type filter hook forward priority 0; policy drop;
William A. Kennington III5ba6d082021-03-10 19:24:22 -0800[diff] [blame]34 iifname != @NCSI_IF@ accept
35 oifname != gbmcbr drop
36 ip6 daddr fdb5:0481:10ce::/64 drop
37 ip6 saddr fdb5:0481:10ce::/64 drop
38 }
William A. Kennington III96745092021-08-06 00:06:42 -0700[diff] [blame]39 chain ncsi_dhcp_input {
40 type filter hook input priority 0; policy drop;
William A. Kennington III032ce782023-11-08 19:24:57 -0800[diff] [blame]41 iifname != gbmcncsidhcp accept
William A. Kennington III96745092021-08-06 00:06:42 -0700[diff] [blame]42 ip6 nexthdr icmpv6 accept
43 udp dport 547 accept
44 }
William A. Kennington IIIafe167d2021-02-08 20:07:49 -0800[diff] [blame]45}