| William A. Kennington III | 832f02b | 2021-04-23 12:53:36 -0700 | [diff] [blame] | 1 | table bridge filter { |
| 2 | chain gbmc_br_prerouting { |
| 3 | type filter hook prerouting priority 0; |
| 4 | iifname != gbmcbr accept |
| 5 | # Sometimes our links are over NCSI and we don't want to broadcast |
| 6 | # those packets over the entire bridge. They are only relevant P2P. |
| 7 | ether type 0x88F8 drop |
| 8 | } |
| 9 | } |
| 10 | |
| 11 | table inet filter { |
| 12 | chain gbmc_br_input { |
| 13 | type filter hook input priority 0; policy drop; |
| 14 | iifname != gbmcbr accept |
| Yuxiao Zhang | 21c086b | 2023-06-21 10:23:53 -0700 | [diff] [blame] | 15 | mark 0xff drop |
| Yuxiao Zhang | 861ed8f | 2023-04-19 14:21:26 -0700 | [diff] [blame] | 16 | ct state established accept |
| William A. Kennington III | 832f02b | 2021-04-23 12:53:36 -0700 | [diff] [blame] | 17 | jump gbmc_br_int_input |
| 18 | jump gbmc_br_pub_input |
| 19 | reject |
| 20 | } |
| William A. Kennington III | cffcaa7 | 2021-09-08 13:06:00 -0700 | [diff] [blame] | 21 | set gbmc_br_int_addrs { |
| 22 | type ipv6_addr; |
| 23 | flags interval |
| 24 | elements = { |
| 25 | ff00::/8, |
| 26 | fe80::/64, |
| 27 | fdb5:0481:10ce::/64, |
| 28 | } |
| 29 | } |
| William A. Kennington III | 832f02b | 2021-04-23 12:53:36 -0700 | [diff] [blame] | 30 | chain gbmc_br_int_input { |
| William A. Kennington III | cffcaa7 | 2021-09-08 13:06:00 -0700 | [diff] [blame] | 31 | ip6 daddr @gbmc_br_int_addrs accept |
| 32 | ip6 saddr @gbmc_br_int_addrs accept |
| William A. Kennington III | 832f02b | 2021-04-23 12:53:36 -0700 | [diff] [blame] | 33 | } |
| 34 | chain gbmc_br_pub_input { |
| 35 | ip6 nexthdr icmpv6 accept |
| 36 | } |
| 37 | } |
| Yuxiao Zhang | 21c086b | 2023-06-21 10:23:53 -0700 | [diff] [blame] | 38 | |