| table bridge filter { |
| chain gbmc_br_prerouting { |
| type filter hook prerouting priority 0; |
| iifname != gbmcbr accept |
| # Sometimes our links are over NCSI and we don't want to broadcast |
| # those packets over the entire bridge. They are only relevant P2P. |
| ether type 0x88F8 drop |
| } |
| } |
| |
| table inet filter { |
| chain gbmc_br_input { |
| type filter hook input priority 0; policy drop; |
| iifname != gbmcbr accept |
| mark 0xff drop |
| ct state established accept |
| jump gbmc_br_int_input |
| jump gbmc_br_pub_input |
| reject |
| } |
| set gbmc_br_int_addrs { |
| type ipv6_addr; |
| flags interval |
| elements = { |
| ff00::/8, |
| fe80::/64, |
| fdb5:0481:10ce::/64, |
| } |
| } |
| chain gbmc_br_int_input { |
| ip6 daddr @gbmc_br_int_addrs accept |
| ip6 saddr @gbmc_br_int_addrs accept |
| } |
| chain gbmc_br_pub_input { |
| ip6 nexthdr icmpv6 accept |
| } |
| } |
| |