{{ ansible_managed | comment }} table inet input { chain conntrack { ct state vmap { established: counter accept, related: counter accept, invalid: counter drop, } } chain input_from_backbone { ip6 nexthdr { ospf, vrrp } accept ip protocol { ospf, vrrp } accept counter accept # FIXME: temporary } chain input_from_router { jump conntrack tcp dport ssh counter accept } chain input_from_anywhere { jump conntrack # FIXME: limit ip6 nexthdr icmpv6 counter accept ip protocol icmp counter accept } chain input { type filter hook input priority filter policy drop iif lo accept jump input_from_anywhere # FIXME: temporary tcp dport ssh accept ip6 saddr vmap { $backbone_ipv6: jump input_from_backbone, $router_ipv6: jump input_from_router, } ip saddr vmap { $backbone_ipv4: jump input_from_backbone, $router_ipv4: jump input_from_router, } reject with icmpx type admin-prohibited } }