meta-google: gbmc-ncsi-nft: More forward restriction
We only want to allow <pfx>::fd... traffic info the machine area network
from the outside world. Instead of just blocking internal network
addresses from the outside, explicitly look at the prefix.
Change-Id: Id0afef7c813aef381e81b8fcfb570778f529f5dc
Signed-off-by: William A. Kennington III <wak@google.com>
diff --git a/meta-google/recipes-google/ncsi/files/gbmc-ncsi-nft.sh.in b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-nft.sh.in
index 727c8b6..93d1a4a 100644
--- a/meta-google/recipes-google/ncsi/files/gbmc-ncsi-nft.sh.in
+++ b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-nft.sh.in
@@ -59,6 +59,11 @@
fi
contents+=' }'$'\n'
+ contents+=' chain ncsi_forward {'$'\n'
+ if [ -n "$pfx" ]; then
+ contents+=" ip6 saddr != $pfx/72 ip6 daddr $pfx/72 accept"$'\n'
+ fi
+ contents+=' }'$'\n'
contents+='}'$'\n'
local rfile=/run/nftables/40-gbmc-ncsi-in.rules