blob: 475cc02f9e752cf8875af5e544f9fe585caa2962 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
|
table bridge filter {
chain gbmc_br_prerouting {
type filter hook prerouting priority 0;
iifname != gbmcbr accept
# Sometimes our links are over NCSI and we don't want to broadcast
# those packets over the entire bridge. They are only relevant P2P.
ether type 0x88F8 drop
}
}
table inet filter {
chain gbmc_br_input {
type filter hook input priority 0; policy drop;
iifname != gbmcbr accept
jump gbmc_br_int_input
jump gbmc_br_pub_input
reject
}
set gbmc_br_int_addrs {
type ipv6_addr;
flags interval
elements = {
ff00::/8,
fe80::/64,
fdb5:0481:10ce::/64,
}
}
chain gbmc_br_int_input {
ip6 daddr @gbmc_br_int_addrs accept
ip6 saddr @gbmc_br_int_addrs accept
}
chain gbmc_br_pub_input {
ip6 nexthdr icmpv6 accept
}
}
|