nftable rules: add tcp conn established counter to daemon rules
openssh dev rules
strowerd rules
gpowerd rules
bmcweb rules
Tested: Modified rules on running bmc image, netfilter rules get applied.
HW fusion2 link in comments
Google-Bug-Id: 366190764
Change-Id: I40b5b74708530d1d4479fdd1c897e7d379f78404
Signed-off-by: Sam Agazaryan <samagazaryan@google.com>
diff --git a/recipes-connectivity/openssh/openssh/50-openssh-dev.rules b/recipes-connectivity/openssh/openssh/50-openssh-dev.rules
index 72bfa3a..ef8a44c 100644
--- a/recipes-connectivity/openssh/openssh/50-openssh-dev.rules
+++ b/recipes-connectivity/openssh/openssh/50-openssh-dev.rules
@@ -2,4 +2,9 @@
chain gbmc_br_pub_input {
tcp dport 22 accept
}
+ chain count_port_22 {
+ counter comment "tcp-server-22-synack"
+ }
}
+
+add element inet filter port_to_chain_map { 22 : jump count_port_22 }
diff --git a/recipes-google/debug/strowger/90-gbmc-strowgerd.rules b/recipes-google/debug/strowger/90-gbmc-strowgerd.rules
index 9481df4..9754ab0 100644
--- a/recipes-google/debug/strowger/90-gbmc-strowgerd.rules
+++ b/recipes-google/debug/strowger/90-gbmc-strowgerd.rules
@@ -2,4 +2,9 @@
chain gbmc_br_pub_input {
tcp dport 5124 accept
}
+ chain count_port_5124 {
+ counter comment "tcp-server-5124-synack"
+ }
}
+
+add element inet filter port_to_chain_map { 5124 : jump count_port_5124 }
diff --git a/recipes-google/s4/gpowerd/43-gbmc-gpowerd.rules b/recipes-google/s4/gpowerd/43-gbmc-gpowerd.rules
index a2b1d15..93a4a6b 100644
--- a/recipes-google/s4/gpowerd/43-gbmc-gpowerd.rules
+++ b/recipes-google/s4/gpowerd/43-gbmc-gpowerd.rules
@@ -2,4 +2,9 @@
chain gbmc_br_pub_input {
tcp dport 20120 accept
}
+ chain count_port_20120 {
+ counter comment "tcp-server-20120-synack"
+ }
}
+
+add element inet filter port_to_chain_map { 20120 : jump count_port_20120 }
diff --git a/recipes-phosphor/interfaces/bmcweb/50-gbmc-bmcweb-dev.rules b/recipes-phosphor/interfaces/bmcweb/50-gbmc-bmcweb-dev.rules
index a25af1d..4fa5524 100644
--- a/recipes-phosphor/interfaces/bmcweb/50-gbmc-bmcweb-dev.rules
+++ b/recipes-phosphor/interfaces/bmcweb/50-gbmc-bmcweb-dev.rules
@@ -4,4 +4,17 @@
tcp dport 443 accept
tcp dport 3995 accept
}
+ chain count_port_80 {
+ counter comment "tcp-server-80-synack"
+ }
+ chain count_port_443 {
+ counter comment "tcp-server-443-synack"
+ }
+ chain count_port_3995 {
+ counter comment "tcp-server-3995-synack"
+ }
}
+
+add element inet filter port_to_chain_map { 80 : jump count_port_80 }
+add element inet filter port_to_chain_map { 443 : jump count_port_443 }
+add element inet filter port_to_chain_map { 3995 : jump count_port_3995 }
diff --git a/recipes-phosphor/interfaces/bmcweb/50-gbmc-bmcweb.rules b/recipes-phosphor/interfaces/bmcweb/50-gbmc-bmcweb.rules
index d790938..cc23d1e 100644
--- a/recipes-phosphor/interfaces/bmcweb/50-gbmc-bmcweb.rules
+++ b/recipes-phosphor/interfaces/bmcweb/50-gbmc-bmcweb.rules
@@ -2,4 +2,9 @@
chain gbmc_br_pub_input {
tcp dport 443 accept
}
+ chain count_port_443 {
+ counter comment "tcp-server-443-synack"
+ }
}
+
+add element inet filter port_to_chain_map { 443 : jump count_port_443 }
