#!/usr/bin/env -S nft -f table ip br0_ipv4 { chain prerouting { type nat hook prerouting priority -100; {% for forward in vpn_bridge_dnat %} iif {{ ansible_default_ipv4.interface }} tcp dport { {{ forward.ports | join(", ") }} } dnat to {{ forward.inet_address }}; {% endfor %} } chain forward { type filter hook forward priority 0; {% if local_inet_network is defined %} ct state established,related accept; iif br0 ip daddr {{ local_inet_network }} drop; {% endif %} {% if vpn_bridge_local_only_inet_daddr %} # Drop all external traffic for these addresses. ip saddr != {{ vpn_bridge_inet_subnet }} ip daddr { {{ vpn_bridge_local_only_inet_daddr | join(", ") }} } drop; {% endif %} } }