1table bridge filter {
2    chain gbmcbr_mark {
3        type filter hook prerouting priority -300;
4        iifname == "cn0" mark set 1 return
5        iifname == "cn1" mark set 2 return
6    }
7}
8
9table inet raw {
10    chain gbmcbr_nat_input {
11        type filter hook prerouting priority -300;
12        # client should only use 10166 for this purpose and
13        # it should NOT use service port directly
14        # otherwise drop later if the packets goes into input
15        tcp dport 10167-10168 mark set 0xff
16        mark 1 tcp dport 10166 tcp dport set 10167 notrack
17        mark 2 tcp dport 10166 tcp dport set 10168 notrack
18    }
19    chain gbmcbr_nat_output {
20        type filter hook output priority -300;
21        tcp sport 10167 tcp sport set 10166 notrack
22        tcp sport 10168 tcp sport set 10166 notrack
23    }
24}
25
26table inet filter {
27    chain gbmc_br_redir_input {
28        mark 0xff drop
29    }
30}
31