Hello
I am trying to achieve something, maybe not possible… let me explain.
I made a simple diagram (without all irrelevant items)
eth0 and eth1 are bridged:
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
list ports 'eth1'
The network conf is done on the interface "lan", defined like this:
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.6.200'
option netmask '255.255.255.0'
Until now, I had no problem.
DHCP server send option 6 with custom DNS server (AdGuard Home) and option 3 for correct gateway. Note that DNS from ISP filter some url… and allow ads and tracking.
Then I needed to add ipv6. So, I enabled it on the ISP Modem and… some devices are using the ipv6 address of the ISP Modem as DNS server.
So I tried to intercept all DNS queries going between eth0 and eth1.
No success with usual firewall rules using luci so I gave a try with nftables rules like this one (I tried a lot of rules...):
table bridge filter {
chain prerouting {
type filter hook prerouting priority -300; policy accept;
meta l4proto { udp, tcp } th dport 53 ip saddr != 192.168.6.200 dnat to 192.168.6.200:53
}
chain postrouting {
type nat hook postrouting priority 100; policy accept;
oifname br-lan ip saddr 192.168.6.200 masquerade
}
}
Which give me error:
Error: NAT is only supported for IPv4/IPv6
meta l4proto { udp, tcp } th dport 53 ip saddr != 192.168.6.200 dnat to 192.168.6.200:53
^^^^
Error: NAT is only supported for IPv4/IPv6
oifname br-lan ip saddr 192.168.6.200 masquerade
^^^^^^^^^^
I think this is normal as bridge is L2 only.
Last note : I am new to nftables.
So, if you have any advice, I will try it. I have done a separate setup for this task, which is WAF compliant 
Thank you