#!/usr/bin/env -S nft -f

table ip br0_ipv4 {
        chain prerouting {
                type nat hook prerouting priority -100;
{% for forward in vpn_bridge_dnat %}
                iif {{ ansible_default_ipv4.interface }} tcp dport { {{ forward.ports | join(", ") }} } dnat to {{ forward.address }};
{% endfor %}
        }

        chain forward {
                type filter hook forward priority 0;

{% if local_network is defined %}
                ct state established,related accept;
                iif br0 ip daddr {{ local_network }} drop;

{% endif %}
{% if vpn_bridge_local_only_daddr %}
                # Drop all external traffic for these addresses.
                ip saddr != {{ vpn_bridge_subnet }} ip daddr { {{ vpn_bridge_local_only_daddr | join(", ") }} } drop;

{% endif %}
        }

        chain postrouting {
                type nat hook postrouting priority 100;
                iif br0 oif {{ ansible_default_ipv4.interface }} masquerade;
        }
}