flush ruleset

table bridge filter {
    chain prerouting {
        type filter hook prerouting priority 0;
        policy accept;

        ibrname br100 jump br100
    }

    chain br100 {
        # Allow all incoming traffic from outside
        iifname vxlan100 accept

        # Default blocks: router advertisements, dhcpv6, dhcpv4
        icmpv6 type nd-router-advert drop
        ip6 version 6 udp sport 547 drop
        ip  version 4 udp sport 67 drop

        jump br100_vmlist
        drop
    }
    chain br100_vmlist {
        # VM1
        iifname tap1 ether saddr 02:00:f0:a9:c4:4e ip6 saddr 2a0a:e5c1:111:888:0:f0ff:fea9:c44e accept

        # VM2
        iifname v343a-0 ether saddr 02:00:f0:a9:c4:4f ip6 saddr 2a0a:e5c1:111:888:0:f0ff:fea9:c44f accept
        iifname v343a-0 ether saddr 02:00:f0:a9:c4:4f ip6 saddr 2a0a:e5c1:111:1234::/64 accept
    }
}