flush ruleset

table bridge filter {
    chain prerouting {
        type filter hook prerouting priority 0;
        policy accept;

        ibrname br100 jump netpublic
    }

    chain netpublic {
        iifname vxlan100 jump from_uncloud

        # Default blocks: router advertisements, dhcpv6, dhcpv4
        icmpv6 type nd-router-advert drop
        ip6 version 6 udp sport 547 drop
        ip  version 4 udp sport 67 drop

        # Individual blocks
#        iifname tap1 jump vm1
    }

    chain vm1 {
        ether saddr != 02:00:f0:a9:c4:4e drop
        ip6   saddr != 2a0a:e5c1:111:888:0:f0ff:fea9:c44e drop
    }

    chain from_uncloud {
        accept
    }
}

# table ip6 filter {
#         chain forward {
#                 type filter hook forward priority 0;

#        #         policy drop;

#                 ct state established,related accept;

#         }

# }

# table ip filter {
#         chain input {
#                 type filter hook input priority filter; policy drop;
#                 iif "lo" accept
#                 icmp type { echo-reply, destination-unreachable, source-quench, redirect, echo-request, router-advertisement, router-solicitation, time-exceeded, parameter-problem, timestamp-request, timestamp-reply, info-request, info-reply, address-mask-request, address-mask-reply } accept
#                 ct state established,related accept
#                 tcp dport { 22 } accept
#                 log prefix "firewall-ipv4: "
#                 udp sport 67 drop
#         }

#         chain forward {
#                 type filter hook forward priority filter; policy drop;
#                 log prefix "firewall-ipv4: "
#         }

#         chain output {
#                 type filter hook output priority filter; policy accept;
#         }
# }