1table inet filter {
2    chain ncsi_input {
3        type filter hook input priority 0; policy drop;
4        iifname != @NCSI_IF@ accept
5        ct state established accept
6        ip6 daddr ff00::/8 goto ncsi_brd_input
7        ip6 daddr fe80::/64 goto ncsi_legacy_input
8    }
9    chain ncsi_gbmc_br_pub_input {
10        jump gbmc_br_pub_input
11        jump ncsi_legacy_input
12        reject
13    }
14    chain gbmc_br_pub_input {
15      ip6 nexthdr icmpv6 accept
16    }
17    chain ncsi_legacy_input {
18        jump ncsi_any_input
19        tcp dport 3959 accept
20        udp dport 3959 accept
21        tcp dport 3967 accept
22        udp dport 3967 accept
23    }
24    chain ncsi_brd_input {
25        jump ncsi_any_input
26    }
27    chain ncsi_any_input {
28        icmpv6 type nd-neighbor-advert accept
29        icmpv6 type nd-neighbor-solicit accept
30        icmpv6 type nd-router-advert accept
31    }
32    chain ncsi_forward {
33        type filter hook forward priority 0; policy drop;
34        iifname != @NCSI_IF@ accept
35        oifname != gbmcbr drop
36        ip6 daddr fdb5:0481:10ce::/64 drop
37        ip6 saddr fdb5:0481:10ce::/64 drop
38    }
39    chain ncsi_dhcp_input {
40        type filter hook input priority 0; policy drop;
41        iifname != ncsigbmc accept
42        ip6 nexthdr icmpv6 accept
43        udp dport 547 accept
44    }
45}
46