diff --git a/uncloud/hack/hackcloud/nftrules b/uncloud/hack/hackcloud/nftrules
new file mode 100644
index 0000000..661d91f
--- /dev/null
+++ b/uncloud/hack/hackcloud/nftrules
@@ -0,0 +1,32 @@
+flush ruleset
+
+table bridge filter {
+       chain prerouting {
+                type filter hook prerouting priority 0;
+                policy accept;
+                ibrname br100 jump netpublic
+                }
+       chain netpublic {
+
+             iifname tap1 jump vm1
+
+             icmpv6 type {nd-router-solicit, nd-router-advert,
+       nd-neighbor-solicit, nd-neighbor-advert, nd-redirect } log
+
+       }
+       chain vm1 {
+             ether saddr != 02:00:f0:a9:c4:4e drop
+       }
+}
+
+table ip6 filter {
+        chain forward {
+                type filter hook forward priority 0;
+
+       #         policy drop;
+
+                ct state established,related accept;
+
+        }
+
+}