Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / openbmc / refs/heads/master / . / meta-google / recipes-google / ncsi / files / gbmc-ncsi-nft.sh.in
blob: 7f2a51642b5c6b12168f30efee548ec8604fdd43 [file] [log] [blame]
William A. Kennington III1ef795b2021-03-10 18:59:12 -0800[diff] [blame]1# Copyright 2021 Google LLC
2#
3# Licensed under the Apache License, Version 2.0 (the "License");
4# you may not use this file except in compliance with the License.
5# You may obtain a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS,
11# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12# See the License for the specific language governing permissions and
13# limitations under the License.
14
William A. Kennington III757cba22022-05-20 09:55:20 -0700[diff] [blame]15[ -n "${gbmc_ncsi_nft_lib-}" ] && return
16
17source /usr/share/network/lib.sh || exit
William A. Kennington III1ef795b2021-03-10 18:59:12 -0800[diff] [blame]18
19gbmc_ncsi_nft_init=
20gbmc_ncsi_nft_lastip4=
21gbmc_ncsi_nft_lastip6=
22
23gbmc_ncsi_nft_update() {
24 [ -n "$gbmc_ncsi_nft_init" ] || return
25
26 printf 'NCSI firewall for IPv4(%s) IPv6(%s)\n' \
27 "${gbmc_ncsi_nft_lastip4:-(deleted)}" \
28 "${gbmc_ncsi_nft_lastip6:-(deleted)}" >&2
29
30 local contents=
31 contents+='table inet filter {'$'\n'
32 contents+=' chain ncsi_input {'$'\n'
33
34 local ip4="$gbmc_ncsi_nft_lastip4"
35 if [ -n "$ip4" ]; then
36 contents+=" ip daddr $ip4 goto ncsi_legacy_input"$'\n'
37 fi
38
39 local ip6="$gbmc_ncsi_nft_lastip6"
40 if [ -n "$ip6" ]; then
William A. Kennington III757cba22022-05-20 09:55:20 -0700[diff] [blame]41 contents+=" ip6 daddr $ip6 goto ncsi_legacy_input"$'\n'
William A. Kennington III1ef795b2021-03-10 18:59:12 -0800[diff] [blame]42 fi
43
44 contents+=' }'$'\n'
William A. Kennington III1ef795b2021-03-10 18:59:12 -0800[diff] [blame]45 contents+='}'$'\n'
46
William A. Kennington III757cba22022-05-20 09:55:20 -0700[diff] [blame]47 local rfile=/run/nftables/30-gbmc-ncsi-in.rules
William A. Kennington III1ef795b2021-03-10 18:59:12 -0800[diff] [blame]48 mkdir -p -m 755 "$(dirname "$rfile")"
49 printf '%s' "$contents" >"$rfile"
50
William A. Kennington III7356f8e2021-12-15 02:21:52 -0800[diff] [blame]51 systemctl reset-failed nftables && systemctl --no-block reload-or-restart nftables || true
William A. Kennington III1ef795b2021-03-10 18:59:12 -0800[diff] [blame]52}
53
54gbmc_ncsi_nft_hook() {
55 if [ "$change" = 'init' ]; then
56 gbmc_ncsi_nft_init=1
57 gbmc_ncsi_nft_update
William A. Kennington III757cba22022-05-20 09:55:20 -0700[diff] [blame]58 elif [ "$change" = 'addr' -a "$intf" = '@NCSI_IF@' -a "$scope" = 'global' ]; then
William A. Kennington III1ef795b2021-03-10 18:59:12 -0800[diff] [blame]59 if [ "$fam" = 'inet6' ]; then
60 local -n lastip='gbmc_ncsi_nft_lastip6'
William A. Kennington III757cba22022-05-20 09:55:20 -0700[diff] [blame]61 local pfx_bytes=()
62 ip_to_bytes pfx_bytes "$ip" || return
63 # We only want to allow a <pfx>:: address
64 for (( i = 8; i < 16; ++i )); do
65 if (( pfx_bytes[i] != 0 )); then
66 return
67 fi
68 done
William A. Kennington III1ef795b2021-03-10 18:59:12 -0800[diff] [blame]69 else
70 local -n lastip='gbmc_ncsi_nft_lastip4'
71 fi
72 if [ "$action" = 'add' -a "$ip" != "$lastip" ]; then
73 lastip="$ip"
74 gbmc_ncsi_nft_update
75 fi
76 if [ "$action" = 'del' -a "$ip" = "$lastip" ]; then
77 lastip=
78 gbmc_ncsi_nft_update
79 fi
80 fi
81}
82
83GBMC_IP_MONITOR_HOOKS+=(gbmc_ncsi_nft_hook)
84
85gbmc_ncsi_nft_lib=1