diff --git a/ucloud/hack/README.org b/ucloud/hack/README.org
index a4668dd..7529263 100644
--- a/ucloud/hack/README.org
+++ b/ucloud/hack/README.org
@@ -5,3 +5,9 @@ This directory contains unfinishe hacks / inspirations
 *** might have scaling issues?
 ** firewall rules on each VM host
    - mac filtering:
+* To add / block
+** TODO arp poisoning
+** TODO ndp "poisoning"
+** TODO ipv4 dhcp server
+*** drop dhcpv4 requests
+*** drop dhcpv4 answers
diff --git a/ucloud/hack/nftables.conf b/ucloud/hack/nftables.conf
index 3758db0..7d1742e 100644
--- a/ucloud/hack/nftables.conf
+++ b/ucloud/hack/nftables.conf
@@ -69,9 +69,26 @@ table ip6 filter {
 
         chain vmXXXX {
              ether saddr != 00:0f:54:0c:11:04 drop;
+             ip6   saddr != 2001:db8:1:000f::540c:11ff:fe04 drop;
+             jump drop_from_vm_without_ipam
+        }
+
+        chain net_2a0ae5c05something {
+
+
+        }
+
+        chain drop_from_vm_without_ipam {
+
         }
 
         chain vmYYYY {
              ether saddr != 00:0f:54:0c:11:05 drop;
+             jump drop_from_vm_with_ipam
+        }
+
+        # Drop stuff from every VM
+        chain drop_from_vm_with_ipam {
+              icmpv6 type {nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect } drop
         }
 }
\ No newline at end of file