Add rules for local-only forwarding

vpn/bridge/defaults/main.yml

@@ -0,0 +1,2 @@
+---
+vpn_bridge_local_only_daddr: []

vpn/bridge/meta/argument_specs.yml

@@ -22,6 +22,13 @@ argument_specs:
       vpn_bridge_netmask:
         type: "str"
         required: true
+      vpn_bridge_subnet:
+        type: "str"
+        required: true
       vpn_bridge_routing_table:
         type: "int"
         required: false
+      vpn_bridge_local_only_daddr:
+        type: "list"
+        elements: "str"
+        required: true

vpn/bridge/templates/post-up-br0-ipv4.nft

@@ -8,14 +8,21 @@ table ip br0_ipv4 {
 {% endfor %}
         }
 
+        chain forward {
+                type filter hook forward priority 0;
+
 {% if local_network is defined %}
-        chain input {
-                type filter hook input priority 0;
                 ct state established,related accept;
                 iif br0 ip daddr {{ local_network }} drop;
-        }
 
 {% endif %}
+{% if vpn_bridge_local_only_daddr %}
+                # Drop all external traffic for these addresses.
+                ip saddr != {{ vpn_bridge_subnet }} ip daddr { {{ vpn_bridge_local_only_daddr | join(", ") }} } drop;
+
+{% endif %}
+        }
+
         chain postrouting {
                 type nat hook postrouting priority 100;
                 iif br0 oif {{ ansible_default_ipv4.interface }} masquerade;