William A. Kennington III | c7454fb | 2021-09-14 16:01:37 -0700 | [diff] [blame^] | 1 | #!/bin/bash |
| 2 | # Copyright 2021 Google LLC |
| 3 | # |
| 4 | # Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | # you may not use this file except in compliance with the License. |
| 6 | # You may obtain a copy of the License at |
| 7 | # |
| 8 | # http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | # |
| 10 | # Unless required by applicable law or agreed to in writing, software |
| 11 | # distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | # See the License for the specific language governing permissions and |
| 14 | # limitations under the License. |
| 15 | |
| 16 | source /usr/share/network/lib.sh || exit |
| 17 | source /usr/libexec/ncsid_lib.sh || exit |
| 18 | |
| 19 | old_pfx= |
| 20 | old_rtr= |
| 21 | |
| 22 | w=60 |
| 23 | while true; do |
| 24 | start=$SECONDS |
| 25 | while read line; do |
| 26 | if [ -z "$line" ]; then |
| 27 | pfx= |
| 28 | elif [[ "$line" =~ ^Prefix' '*:' '*(.*)/([0-9]+)$ ]]; then |
| 29 | t_pfx="${BASH_REMATCH[1]}" |
| 30 | t_pfx_len="${BASH_REMATCH[2]}" |
| 31 | ip_to_bytes t_pfx_b "$t_pfx" || continue |
| 32 | (( t_pfx_len == 76 && t_pfx_b[8] & 0xfd == 0xfd )) || continue |
| 33 | (( t_pfx_b[9] |= 1 )) |
| 34 | pfx="$(ip_bytes_to_str t_pfx_b)" |
| 35 | (( t_pfx_b[9] &= 0xf0 )) |
| 36 | stateless_pfx="$(ip_bytes_to_str t_pfx_b)" |
| 37 | elif [[ "$line" =~ ^from' '(.*)$ ]]; then |
| 38 | rtr="${BASH_REMATCH[1]}" |
| 39 | (( "${#pfx}" != 0 )) || continue |
| 40 | [[ "$pfx" != "$old_pfx" || "$old_rtr" != "$rtr" ]] || continue |
| 41 | |
| 42 | echo "Found prefix $pfx from $rtr" >&2 |
| 43 | |
| 44 | # Delete any stale IP Addresses from the primary interface as we won't use them |
| 45 | UpdateIP xyz.openbmc_project.Network @NCSI_IF@ '0.0.0.0' '0' |
| 46 | UpdateIP xyz.openbmc_project.Network @NCSI_IF@ '::' '0' |
| 47 | |
| 48 | read -r -d '' contents <<EOF |
| 49 | [Network] |
| 50 | Address=$pfx/128 |
| 51 | IPv6PrefixDelegation=yes |
| 52 | [IPv6PrefixDelegation] |
| 53 | RouterLifetimeSec=60 |
| 54 | [IPv6Prefix] |
| 55 | Prefix=$stateless_pfx/80 |
| 56 | PreferredLifetimeSec=60 |
| 57 | ValidLifetimeSec=60 |
| 58 | [IPv6RoutePrefix] |
| 59 | Route=$pfx/80 |
| 60 | LifetimeSec=60 |
| 61 | [Route] |
| 62 | Destination=$stateless_pfx/76 |
| 63 | Type=unreachable |
| 64 | Metric=1024 |
| 65 | EOF |
| 66 | for file in /run/systemd/network/{00,}-bmc-gbmcbr.network.d/49-public-ra.conf; do |
| 67 | mkdir -p -m 755 "$(dirname "$file")" |
| 68 | printf '%s' "$contents" >"$file" |
| 69 | done |
| 70 | |
| 71 | contents='[Network]'$'\n' |
| 72 | contents+="Address=$pfx/128"$'\n' |
| 73 | contents+="Gateway=$rtr"$'\n' |
| 74 | for file in /run/systemd/network/{00,}-bmc-@NCSI_IF@.network.d/49-public-ra.conf; do |
| 75 | mkdir -p -m 755 "$(dirname "$file")" |
| 76 | printf '%s' "$contents" >"$file" |
| 77 | done |
| 78 | |
| 79 | # Ensure that systemd-networkd performs a reconfiguration as it doesn't |
| 80 | # currently check the mtime of drop-in files. |
| 81 | touch -c /lib/systemd/network/*-bmc-gbmcbr.network |
| 82 | touch -c /etc/systemd/network/*-bmc-@NCSI_IF@.network |
| 83 | |
| 84 | if [ "$(systemctl is-active systemd-networkd)" != 'inactive' ]; then |
| 85 | networkctl reload |
| 86 | networkctl reconfigure gbmcbr |
| 87 | fi |
| 88 | |
| 89 | read -r -d '' contents <<EOF |
| 90 | table inet filter { |
| 91 | chain ncsi_input { |
| 92 | ip6 saddr != $pfx/76 ip6 daddr $pfx/76 goto ncsi_gbmc_br_pub_input |
| 93 | } |
| 94 | chain ncsi_forward { |
| 95 | ip6 saddr != $pfx/76 ip6 daddr $pfx/76 accept |
| 96 | } |
| 97 | } |
| 98 | EOF |
| 99 | rfile=/run/nftables/40-gbmc-ncsi-ra.rules |
| 100 | mkdir -p -m 755 "$(dirname "$rfile")" |
| 101 | printf '%s' "$contents" >"$rfile" |
| 102 | systemctl reset-failed nftables |
| 103 | systemctl --no-block restart nftables |
| 104 | |
| 105 | old_pfx="$pfx" |
| 106 | old_rtr="$rtr" |
| 107 | fi |
| 108 | done < <(rdisc6 -d -m @NCSI_IF@ -w $(( w * 1000 )) 2>/dev/null) |
| 109 | # If rdisc6 exits early we still want to wait the full `w` time before |
| 110 | # starting again. |
| 111 | (( timeout = start + w - SECONDS )) |
| 112 | sleep $(( timeout < 0 ? 0 : timeout )) |
| 113 | done |