2020-01-11 01:42:04 +00:00
|
|
|
flush ruleset
|
|
|
|
|
|
|
|
table bridge filter {
|
2020-01-11 20:21:30 +00:00
|
|
|
chain prerouting {
|
|
|
|
type filter hook prerouting priority 0;
|
|
|
|
policy accept;
|
|
|
|
|
2020-01-12 12:20:38 +00:00
|
|
|
ibrname br100 jump br100
|
2020-01-11 20:21:30 +00:00
|
|
|
}
|
2020-01-11 01:42:04 +00:00
|
|
|
|
2020-01-12 12:20:38 +00:00
|
|
|
chain br100 {
|
|
|
|
# Allow all incoming traffic from outside
|
|
|
|
iifname vxlan100 accept
|
2020-01-11 01:42:04 +00:00
|
|
|
|
2020-01-11 20:21:30 +00:00
|
|
|
# Default blocks: router advertisements, dhcpv6, dhcpv4
|
|
|
|
icmpv6 type nd-router-advert drop
|
|
|
|
ip6 version 6 udp sport 547 drop
|
|
|
|
ip version 4 udp sport 67 drop
|
2020-01-11 01:42:04 +00:00
|
|
|
|
2020-01-12 12:20:38 +00:00
|
|
|
jump br100_vmlist
|
|
|
|
drop
|
2020-01-11 20:21:30 +00:00
|
|
|
}
|
2020-01-12 12:20:38 +00:00
|
|
|
chain br100_vmlist {
|
|
|
|
# VM1
|
|
|
|
iifname tap1 ether saddr 02:00:f0:a9:c4:4e ip6 saddr 2a0a:e5c1:111:888:0:f0ff:fea9:c44e accept
|
2020-01-11 01:42:04 +00:00
|
|
|
|
2020-01-12 12:20:38 +00:00
|
|
|
# VM2
|
|
|
|
iifname v343a-0 ether saddr 02:00:f0:a9:c4:4f ip6 saddr 2a0a:e5c1:111:888:0:f0ff:fea9:c44f accept
|
|
|
|
iifname v343a-0 ether saddr 02:00:f0:a9:c4:4f ip6 saddr 2a0a:e5c1:111:1234::/64 accept
|
2020-01-11 20:21:30 +00:00
|
|
|
}
|
2020-01-11 01:42:04 +00:00
|
|
|
}
|