Yuxiao Zhang | cb56ec3 | 2023-05-12 10:55:26 -0700 | [diff] [blame] | 1 | table bridge filter { |
| 2 | chain gbmcbr_mark { |
| 3 | type filter hook prerouting priority -300; |
| 4 | iifname == "cn0" mark set 1 return |
| 5 | iifname == "cn1" mark set 2 return |
| 6 | } |
| 7 | } |
| 8 | |
| 9 | table inet raw { |
| 10 | chain gbmcbr_nat_input { |
| 11 | type filter hook prerouting priority -300; |
| 12 | # client should only use 10166 for this purpose and |
| 13 | # it should NOT use service port directly |
| 14 | # otherwise drop later if the packets goes into input |
| 15 | tcp dport 10167-10168 mark set 0xff |
| 16 | mark 1 tcp dport 10166 tcp dport set 10167 notrack |
| 17 | mark 2 tcp dport 10166 tcp dport set 10168 notrack |
| 18 | } |
| 19 | chain gbmcbr_nat_output { |
| 20 | type filter hook output priority -300; |
| 21 | tcp sport 10167 tcp sport set 10166 notrack |
| 22 | tcp sport 10168 tcp sport set 10166 notrack |
| 23 | } |
| 24 | } |