Gitiles
Code Review Sign In
gerrit.openbmc.org / stefanberger / openbmc / b823f89c8cd0da678c78e242bf12c25f414d0697^! / .
commitb823f89c8cd0da678c78e242bf12c25f414d0697[log] [tgz]
authorWilliam A. Kennington III <wak@google.com>Tue Nov 23 20:54:56 2021 -0800
committerWilliam A. Kennington III <wak@google.com>Mon Dec 06 22:28:57 2021 +0000
tree5c6aadc05b418812d0d75a54a6126c451ae0a321
parent3dbea9350f23bbf2a4b3909e1d6bab157edba7fc [diff]
meta-google: gbmc-ncsi-config: Fix deprecated address nft

The nft rules were not deleted in cases where the public addresses are
removed from the gbmc-br interface. This would create broken rules.

Change-Id: I22a88f1fb15ccbea49e586061ea8e93bbbfb1bc1
Signed-off-by: William A. Kennington III <wak@google.com>

diff --git a/meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in
index 7b07025..677ef28 100644
--- a/meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in
+++ b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in

@@ -29,6 +29,7 @@
     "${gbmc_ncsi_br_deprecated_ips_lastip:-(deleted)}" >&2
 
   local contents=
+  local nfcontents=
   if [ -n "$gbmc_ncsi_br_deprecated_ips_lastip" ]; then
     local pfx_bytes=()
     ip_to_bytes pfx_bytes "$gbmc_ncsi_br_deprecated_ips_lastip"
@@ -50,6 +51,16 @@
 Address=$host_pfx/128
 PreferredLifetime=0
 EOF
+    read -r -d '' nfcontents <<EOF
+table inet filter {
+  chain ncsi_input {
+    ip6 saddr != $pfx/76 ip6 daddr $pfx/76 goto ncsi_gbmc_br_pub_input
+  }
+  chain ncsi_forward {
+    ip6 saddr != $pfx/76 ip6 daddr $pfx/76 accept
+  }
+}
+EOF
   fi
 
   local file
@@ -70,19 +81,13 @@
     networkctl reload && networkctl reconfigure @NCSI_IF@
   fi
 
-  read -r -d '' contents <<EOF
-table inet filter {
-  chain ncsi_input {
-    ip6 saddr != $pfx/76 ip6 daddr $pfx/76 goto ncsi_gbmc_br_pub_input
-  }
-  chain ncsi_forward {
-    ip6 saddr != $pfx/76 ip6 daddr $pfx/76 accept
-  }
-}
-EOF
-  rfile=/run/nftables/40-gbmc-ncsi-br.rules
+  local rfile=/run/nftables/40-gbmc-ncsi-br.rules
   mkdir -p -m 755 "$(dirname "$rfile")"
-  printf '%s' "$contents" >"$rfile"
+  if [ -z "$nfcontents" ]; then
+    rm -f "$rfile"
+  else
+    printf '%s' "$nfcontents" >"$rfile"
+  fi
   systemctl reset-failed nftables && systemctl --no-block restart nftables || true
 }