#!/usr/bin/env -S nft -f

table ip br0_ipv4 {
        chain prerouting {
                type nat hook prerouting priority -100;
{% for forward in vpn_bridge_dnat %}
                iif {{ ansible_default_ipv4.interface }} tcp dport { {{ forward.ports | join(", ") }} } dnat to {{ forward.address }};
{% endfor %}
        }

{% if local_network is defined %}
        chain input {
                type filter hook input priority 0;
                ct state established,related accept;
                iif br0 ip daddr {{ local_network }} drop;
        }

{% endif %}
        chain postrouting {
                type nat hook postrouting priority 100;
                iif br0 oif {{ ansible_default_ipv4.interface }} masquerade;
        }
}