#!/usr/bin/env -S nft -f

table ip6 br0_ipv6 {
        chain prerouting {
                type nat hook prerouting priority -100;
{% for forward in vpn_bridge_dnat %}
                iif {{ ansible_default_ipv6.interface }} tcp dport { {{ forward.ports | join(", ") }} } dnat to {{ forward.inet6_address }};
{% endfor %}
        }

        chain forward {
                type filter hook forward priority 0;
{% if local_inet6_network is defined %}

                ct state established,related accept;
                iif br0 ip6 daddr {{ local_inet6_network }} drop;
{% endif %}
{% if vpn_bridge_local_only_inet6_daddr %}

                # Drop all external traffic for these addresses.
                ip6 saddr != {{ vpn_bridge_inet6_subnet }} ip6 daddr { {{ vpn_bridge_local_only_inet6_daddr | join(", ") }} } drop;
{% endif %}
        }
}