uncloud-mravi/archive/uncloud_etcd_based/uncloud/hack/hackcloud/nftrules

32 lines
872 B
Text
Raw Permalink Normal View History

2020-01-11 01:42:04 +00:00
flush ruleset
table bridge filter {
2020-01-11 20:21:30 +00:00
chain prerouting {
type filter hook prerouting priority 0;
policy accept;
2020-01-12 12:20:38 +00:00
ibrname br100 jump br100
2020-01-11 20:21:30 +00:00
}
2020-01-11 01:42:04 +00:00
2020-01-12 12:20:38 +00:00
chain br100 {
# Allow all incoming traffic from outside
iifname vxlan100 accept
2020-01-11 01:42:04 +00:00
2020-01-11 20:21:30 +00:00
# Default blocks: router advertisements, dhcpv6, dhcpv4
icmpv6 type nd-router-advert drop
ip6 version 6 udp sport 547 drop
ip version 4 udp sport 67 drop
2020-01-11 01:42:04 +00:00
2020-01-12 12:20:38 +00:00
jump br100_vmlist
drop
2020-01-11 20:21:30 +00:00
}
2020-01-12 12:20:38 +00:00
chain br100_vmlist {
# VM1
iifname tap1 ether saddr 02:00:f0:a9:c4:4e ip6 saddr 2a0a:e5c1:111:888:0:f0ff:fea9:c44e accept
2020-01-11 01:42:04 +00:00
2020-01-12 12:20:38 +00:00
# VM2
iifname v343a-0 ether saddr 02:00:f0:a9:c4:4f ip6 saddr 2a0a:e5c1:111:888:0:f0ff:fea9:c44f accept
iifname v343a-0 ether saddr 02:00:f0:a9:c4:4f ip6 saddr 2a0a:e5c1:111:1234::/64 accept
2020-01-11 20:21:30 +00:00
}
2020-01-11 01:42:04 +00:00
}