{
  lib,
  pkgs,
  config,
  ...
}:
{
  networking.nftables = {
    enable = true;
    ruleset = ''
      table inet filter {
        chain input {
          type filter hook input priority filter; policy accept;
          ct state related,established accept

          # Restrict ygg0: only allow SSH in
          iifname "ygg0" tcp dport 22 accept
          iifname "ygg0" drop
        }

        chain forward {
          type filter hook forward priority filter; policy accept;
          # Optional: drop forwarding via ygg0
          iifname "ygg0" drop
        }

        chain output {
          type filter hook output priority filter; policy accept;
        }
      }
    '';
  };
}