flush ruleset table bridge filter { chain prerouting { type filter hook prerouting priority 0; policy accept; ibrname br100 jump netpublic } chain netpublic { icmpv6 type {nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect } log } } table ip6 filter { chain forward { type filter hook forward priority 0; # this would be nice... policy drop; ct state established,related accept; } chain prerouting { type filter hook prerouting priority 0; policy accept; # not supporting in here! iifname vmXXXX jump vmXXXX iifname vmYYYY jump vmYYYY iifname brXX jump brXX iifname vxlan100 jump vxlan100 iifname br100 jump br100 } # 1. Rules per VM (names: vmXXXXX? # 2. Rules per network (names: vxlanXXXX, what about non vxlan?) # 3. Rules per bridge: # vxlanXX is inside brXX # This is effectively a network filter # 4. Kill all malicous traffic: # - router advertisements from VMs in which they should not announce RAs chain vxlan100 { icmpv6 type {nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect } log } chain br100 { icmpv6 type {nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect } log } chain netpublic { # drop router advertisements that don't come from us iifname != vxlanpublic icmpv6 type {nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect } drop # icmpv6 type {nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect } drop } # This vlan chain brXX { ip6 saddr != 2001:db8:1::/64 drop; } chain vmXXXX { ether saddr != 00:0f:54:0c:11:04 drop; ip6 saddr != 2001:db8:1:000f::540c:11ff:fe04 drop; jump drop_from_vm_without_ipam } chain net_2a0ae5c05something { } chain drop_from_vm_without_ipam { } chain vmYYYY { ether saddr != 00:0f:54:0c:11:05 drop; jump drop_from_vm_with_ipam } # Drop stuff from every VM chain drop_from_vm_with_ipam { icmpv6 type {nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect } drop } }