#!/usr/bin/env -S nft -f

table ip br0_ipv4 {
        chain prerouting {
                type nat hook prerouting priority -100;
                iif {{ ethx }} tcp dport { 80, 443 } dnat to {{ services['lrproxy'].address }};
                iif {{ ethx }} tcp dport {{ services['git'].ssh_port }} dnat to {{ services['git'].address }};
        }

        chain input {
                type filter hook input priority 0;
                ct state established,related accept;
                iif br0 ip daddr {{ subnet }} drop;
        }

        chain postrouting {
                type nat hook postrouting priority 100;
                iif br0 oif {{ ethx }} masquerade;
        }
}