1#!/bin/bash 2# Copyright 2025 Google LLC 3# 4# Licensed under the Apache License, Version 2.0 (the "License"); 5# you may not use this file except in compliance with the License. 6# You may obtain a copy of the License at 7# 8# http://www.apache.org/licenses/LICENSE-2.0 9# 10# Unless required by applicable law or agreed to in writing, software 11# distributed under the License is distributed on an "AS IS" BASIS, 12# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13# See the License for the specific language governing permissions and 14# limitations under the License. 15 16[ -n "${gbmc_ncsi_dynamic_lib-}" ] && return 17 18gbmc_ncsi_dynamic_hook() { 19 # shellcheck disable=SC2154 20 if [[ "$change" = 'link' && "$action" = 'add' ]]; then 21 intf="${intf%%@*}" 22 ip link show "$intf" | grep -q '^ *alias ncsi-usb$' || return 23 24read -r -d '' contents <<EOF 25table inet filter { 26 chain ${intf}_input { 27 type filter hook input priority 0; policy drop; 28 iifname != $intf accept 29 ct state established accept 30 udp dport 547 accept 31 jump gbmc_br_pub_input 32 reject 33 } 34 chain gbmc_br_pub_input { 35 ip6 nexthdr icmpv6 accept 36 } 37 chain ${intf}_forward { 38 type filter hook forward priority 0; policy drop; 39 iifname != $intf accept 40 oifname != gbmcbr drop 41 ip6 daddr fdb5:0481:10ce::/64 drop 42 ip6 saddr fdb5:0481:10ce::/64 drop 43 } 44} 45EOF 46 local rfile=/run/nftables/50-gbmc-ncsi-$intf.rules 47 mkdir -p "$(dirname "$rfile")" 48 printf '%s' "$contents" >"$rfile" 49 # shellcheck disable=SC2015 50 systemctl reset-failed nftables && systemctl --no-block reload-or-restart nftables || true 51 52 systemctl start --no-block gbmc-ncsi-ra@"$intf" 53 fi 54} 55 56GBMC_IP_MONITOR_HOOKS+=(gbmc_ncsi_dynamic_hook) 57 58gbmc_ncsi_dynamic_lib=1 59