uncloud/uncloud/hack/nftables.conf

flush ruleset

table bridge filter {
       chain prerouting {
                type filter hook prerouting priority 0;
                policy accept;
                ibrname br100 jump netpublic
                }
       chain netpublic {
       icmpv6 type {nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect } log
       }
}

table ip6 filter {
        chain forward {
                type filter hook forward priority 0;

                # this would be nice...
                policy drop;

                ct state established,related accept;

        }

        chain prerouting {
                type filter hook prerouting priority 0;
                policy accept;

                # not supporting in here!


                iifname vmXXXX jump vmXXXX
                iifname vmYYYY jump vmYYYY

                iifname brXX jump brXX

                iifname vxlan100 jump vxlan100
                iifname br100 jump br100
        }

        # 1. Rules per VM (names: vmXXXXX?
        # 2. Rules per network (names: vxlanXXXX, what about non vxlan?)
        # 3. Rules per bridge:
        # vxlanXX is inside brXX
        # This is effectively a network filter
        # 4. Kill all malicous traffic:
        # - router advertisements from VMs in which they should not announce RAs



        chain vxlan100 {
             icmpv6 type {nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect } log
             }
        chain br100 {
              icmpv6 type {nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect } log
        }

        chain netpublic {
              # drop router advertisements that don't come from us
              iifname != vxlanpublic icmpv6 type {nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect } drop
              # icmpv6 type {nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect } drop

        }

        # This vlan
        chain brXX {
             ip6   saddr != 2001:db8:1::/64 drop;
        }

        chain vmXXXX {
             ether saddr != 00:0f:54:0c:11:04 drop;
             ip6   saddr != 2001:db8:1:000f::540c:11ff:fe04 drop;
             jump drop_from_vm_without_ipam
        }

        chain net_2a0ae5c05something {


        }

        chain drop_from_vm_without_ipam {

        }

        chain vmYYYY {
             ether saddr != 00:0f:54:0c:11:05 drop;
             jump drop_from_vm_with_ipam
        }

        # Drop stuff from every VM
        chain drop_from_vm_with_ipam {
              icmpv6 type {nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect } drop
        }
}