meta-google: gbmc-ncsi-config: Restrict NCSI input packets
Break down packets by their incoming address and ensure that we don't
allow packets to unintended destinations. Right now this is effectively
a no-op, but it will be necessary for BMC public addressing.
Change-Id: I39c16c3b9cd4c293df42b928674e39677d7834e9
Signed-off-by: William A. Kennington III <wak@google.com>
diff --git a/meta-google/recipes-google/ncsi/gbmc-ncsi-config.bb b/meta-google/recipes-google/ncsi/gbmc-ncsi-config.bb
index ecdda2c..b833810 100644
--- a/meta-google/recipes-google/ncsi/gbmc-ncsi-config.bb
+++ b/meta-google/recipes-google/ncsi/gbmc-ncsi-config.bb
@@ -9,17 +9,22 @@
file://50-gbmc-ncsi.rules.in \
file://gbmc-ncsi-sslh.socket.in \
file://gbmc-ncsi-sslh.service \
+ file://gbmc-ncsi-nft.sh.in \
"
S = "${WORKDIR}"
RDEPENDS_${PN} += " \
+ gbmc-ip-monitor \
ncsid \
nftables-systemd \
sslh \
"
-FILES_${PN} += "${systemd_unitdir}"
+FILES_${PN} += " \
+ ${datadir}/gbmc-ip-monitor \
+ ${systemd_unitdir} \
+ "
SYSTEMD_SERVICE_${PN} += " \
gbmc-ncsi-sslh.service \
@@ -50,7 +55,7 @@
nftdir=${D}${sysconfdir}/nftables
install -d -m0755 "$nftdir"
- sed "s,@NCSI_IF@,$if_name," ${WORKDIR}/50-gbmc-ncsi.rules.in \
+ sed "s,@NCSI_IF@,$if_name,g" ${WORKDIR}/50-gbmc-ncsi.rules.in \
>"$nftdir"/50-gbmc-ncsi.rules
wantdir=${D}${systemd_system_unitdir}/multi-user.target.wants
@@ -58,6 +63,12 @@
ln -sv ../ncsid@.service "$wantdir"/ncsid@$if_name.service
install -m 0644 ${WORKDIR}/gbmc-ncsi-sslh.service ${D}${systemd_system_unitdir}
- sed "s,@NCSI_IF@,$if_name," ${WORKDIR}/gbmc-ncsi-sslh.socket.in \
+ sed "s,@NCSI_IF@,$if_name,g" ${WORKDIR}/gbmc-ncsi-sslh.socket.in \
>${D}${systemd_system_unitdir}/gbmc-ncsi-sslh.socket
+
+ mondir=${D}${datadir}/gbmc-ip-monitor/
+ install -d -m0755 $mondir
+ sed "s,@NCSI_IF@,$if_name,g" ${WORKDIR}/gbmc-ncsi-nft.sh.in \
+ >${WORKDIR}/gbmc-ncsi-nft.sh
+ install -m644 ${WORKDIR}/gbmc-ncsi-nft.sh $mondir
}