ansible-roles/vpn/bridge/templates/post-up-br0-ipv6.nft

#!/usr/bin/env -S nft -f

table ip6 br0_ipv6 {
        chain prerouting {
                type nat hook prerouting priority -100;
{% for forward in vpn_bridge_dnat %}
                iif {{ ansible_default_ipv6.interface }} tcp dport { {{ forward.ports | join(", ") }} } dnat to {{ forward.inet6_address }};
{% endfor %}
        }

        chain forward {
                type filter hook forward priority 0;
{% if local_inet6_network is defined %}

                ct state established,related accept;
                iif br0 ip6 daddr {{ local_inet6_network }} drop;
{% endif %}
{% if vpn_bridge_local_only_inet6_daddr %}

                # Drop all external traffic for these addresses.
                ip6 saddr != {{ vpn_bridge_inet6_subnet }} ip6 daddr { {{ vpn_bridge_local_only_inet6_daddr | join(", ") }} } drop;
{% endif %}
        }
}
Add IPv6 support to bridges 2023-07-27 23:07:45 +02:00			`#!/usr/bin/env -S nft -f`

			`table ip6 br0_ipv6 {`
			`chain prerouting {`
			`type nat hook prerouting priority -100;`
			`{% for forward in vpn_bridge_dnat %}`
			`iif {{ ansible_default_ipv6.interface }} tcp dport { {{ forward.ports \| join(", ") }} } dnat to {{ forward.inet6_address }};`
			`{% endfor %}`
			`}`

			`chain forward {`
			`type filter hook forward priority 0;`
			`{% if local_inet6_network is defined %}`

			`ct state established,related accept;`
			`iif br0 ip6 daddr {{ local_inet6_network }} drop;`
			`{% endif %}`
			`{% if vpn_bridge_local_only_inet6_daddr %}`

			`# Drop all external traffic for these addresses.`
			`ip6 saddr != {{ vpn_bridge_inet6_subnet }} ip6 daddr { {{ vpn_bridge_local_only_inet6_daddr \| join(", ") }} } drop;`
			`{% endif %}`
			`}`
			`}`