meta-google/recipes-google/ncsi/files/50-gbmc-ncsi.rules.in

table inet filter {
    chain ncsi_input {
        type filter hook input priority 0; policy drop;
        iifname != @NCSI_IF@ accept
        ct state established accept
        ip6 daddr ff00::/8 goto ncsi_brd_input
        ip6 daddr fe80::/64 goto ncsi_legacy_input
    }
    chain ncsi_gbmc_br_pub_input {
        jump gbmc_br_pub_input
        jump ncsi_legacy_input
        reject
    }
    chain gbmc_br_pub_input {
      ip6 nexthdr icmpv6 accept
    }
    chain ncsi_legacy_input {
        jump ncsi_any_input
        tcp dport 3959 accept
        udp dport 3959 accept
        tcp dport 3967 accept
        udp dport 3967 accept
    }
    chain ncsi_brd_input {
        jump ncsi_any_input
    }
    chain ncsi_any_input {
        icmpv6 type nd-neighbor-advert accept
        icmpv6 type nd-neighbor-solicit accept
        icmpv6 type nd-router-advert accept
    }
    chain ncsi_forward {
        type filter hook forward priority 0; policy drop;
        iifname != @NCSI_IF@ accept
        oifname != gbmcbr drop
        ip6 daddr fdb5:0481:10ce::/64 drop
        ip6 saddr fdb5:0481:10ce::/64 drop
    }
    chain ncsi_dhcp_input {
        type filter hook input priority 0; policy drop;
        iifname != ncsigbmc accept
        ip6 nexthdr icmpv6 accept
        udp dport 547 accept
    }
}
Initial commit 2026-04-23 17:07:55 +08:00			`table inet filter {`
			`chain ncsi_input {`
			`type filter hook input priority 0; policy drop;`
			`iifname != @NCSI_IF@ accept`
			`ct state established accept`
			`ip6 daddr ff00::/8 goto ncsi_brd_input`
			`ip6 daddr fe80::/64 goto ncsi_legacy_input`
			`}`
			`chain ncsi_gbmc_br_pub_input {`
			`jump gbmc_br_pub_input`
			`jump ncsi_legacy_input`
			`reject`
			`}`
			`chain gbmc_br_pub_input {`
			`ip6 nexthdr icmpv6 accept`
			`}`
			`chain ncsi_legacy_input {`
			`jump ncsi_any_input`
			`tcp dport 3959 accept`
			`udp dport 3959 accept`
			`tcp dport 3967 accept`
			`udp dport 3967 accept`
			`}`
			`chain ncsi_brd_input {`
			`jump ncsi_any_input`
			`}`
			`chain ncsi_any_input {`
			`icmpv6 type nd-neighbor-advert accept`
			`icmpv6 type nd-neighbor-solicit accept`
			`icmpv6 type nd-router-advert accept`
			`}`
			`chain ncsi_forward {`
			`type filter hook forward priority 0; policy drop;`
			`iifname != @NCSI_IF@ accept`
			`oifname != gbmcbr drop`
			`ip6 daddr fdb5:0481:10ce::/64 drop`
			`ip6 saddr fdb5:0481:10ce::/64 drop`
			`}`
			`chain ncsi_dhcp_input {`
			`type filter hook input priority 0; policy drop;`
			`iifname != ncsigbmc accept`
			`ip6 nexthdr icmpv6 accept`
			`udp dport 547 accept`
			`}`
			`}`