table bridge filter { | |
chain gbmc_br_prerouting { | |
type filter hook prerouting priority 0; | |
iifname != gbmcbr accept | |
# Sometimes our links are over NCSI and we don't want to broadcast | |
# those packets over the entire bridge. They are only relevant P2P. | |
ether type 0x88F8 drop | |
} | |
} | |
table inet filter { | |
chain gbmc_br_input { | |
type filter hook input priority 0; policy drop; | |
iifname != gbmcbr accept | |
jump gbmc_br_int_input | |
jump gbmc_br_pub_input | |
reject | |
} | |
set gbmc_br_int_addrs { | |
type ipv6_addr; | |
flags interval | |
elements = { | |
ff00::/8, | |
fe80::/64, | |
fdb5:0481:10ce::/64, | |
} | |
} | |
chain gbmc_br_int_input { | |
ip6 daddr @gbmc_br_int_addrs accept | |
ip6 saddr @gbmc_br_int_addrs accept | |
} | |
chain gbmc_br_pub_input { | |
ip6 nexthdr icmpv6 accept | |
} | |
} |