1table inet filter { 2 chain ncsi_input { 3 type filter hook input priority 0; policy drop; 4 iifname != @NCSI_IF@ accept 5 ct state established accept 6 ip6 daddr ff00::/8 goto ncsi_brd_input 7 ip6 daddr fe80::/64 goto ncsi_legacy_input 8 } 9 chain ncsi_gbmc_br_pub_input { 10 jump gbmc_br_pub_input 11 jump ncsi_legacy_input 12 reject 13 } 14 chain gbmc_br_pub_input { 15 ip6 nexthdr icmpv6 accept 16 } 17 chain ncsi_legacy_input { 18 jump ncsi_any_input 19 tcp dport 3959 accept 20 udp dport 3959 accept 21 tcp dport 3967 accept 22 udp dport 3967 accept 23 } 24 chain ncsi_brd_input { 25 jump ncsi_any_input 26 } 27 chain ncsi_any_input { 28 icmpv6 type nd-neighbor-advert accept 29 icmpv6 type nd-neighbor-solicit accept 30 icmpv6 type nd-router-advert accept 31 } 32 chain ncsi_forward { 33 type filter hook forward priority 0; policy drop; 34 iifname != @NCSI_IF@ accept 35 oifname != gbmcbr drop 36 ip6 daddr fdb5:0481:10ce::/64 drop 37 ip6 saddr fdb5:0481:10ce::/64 drop 38 } 39 chain ncsi_dhcp_input { 40 type filter hook input priority 0; policy drop; 41 iifname != gbmcncsidhcp accept 42 ip6 nexthdr icmpv6 accept 43 udp dport 547 accept 44 } 45} 46