I'd suggest a 3 level branch hierachy (IOW: the lower level
is rebased ontop of the next higher level):

* #0: upstream branch
* #1: generic local maintenance branch
* #2: per-instance cutomization branches

Normal additions go to the lowest level #2. When you've got
some generic commit, you propagate it to the next level
(cherry-pick) and rebase layer #2 ontop of it.
Now you can send your layer #1 to upstream for integration.

When upstream updated his branch, you simply rebase #1
ontop of it, do your checks etc, then proceed to rebasing #3.

You could also introduce more intermediate layers (eg when you've
got different groups of similar instance that share certain changes)

