#!/usr/bin/env -S nft -f

table inet br0_filter {
        chain input {
                type filter hook input priority -5;
                ct state established,related accept;
                iif br0 ip daddr {{ subnet }} drop;
        }
}

table ip br0_nat {
        chain prerouting {
                type nat hook prerouting priority -100;
                iif {{ ethx }} tcp dport { 80, 443 } dnat to {{ vpn_reverse_proxy_address }};
        }

        chain postrouting {
                type nat hook postrouting priority 100;
                iif br0 oif {{ ethx }} masquerade;
        }
}