Set up nftables to only allow connections through a vpn and block all ipv6 traffic

I am trying to set up a nftables firewall on my archlinux distribution that only allows traffic through a vpn (and blocks all ipv6 traffic in order to prevent any ipv6 leaks) I have been playing around with it for a while now and ended up with a configuration that lets me browse the web, even though as far as I understand nftable so far, it should not let me do that. The ruleset is pretty short and looks like this: table inet filter { chain input { type filter hook input priority 0; policy drop; jump base_checks ip saddr VPN_IP_ADRESS udp sport openvpn accept } chain forward { type filter hook forward priority 0; policy drop; } chain output { type filter hook output priority 0; policy drop; ip daddr VPN_IP_ADRESS udp dport openvpn accept oifname "tun0" accept } chain base_checks { ct state { related, established} accept ct state invalid drop } } I tried to find my way thorugh with trial and error and had many other rules in there, but with just this, i am able to connect to the VPN server first and then browse the web. Once I remove the last rule from the outout chain though, it won't let me browse the web anymore. I am completely new to this and pretty much overall clueless, trying to learn. Unfortunately, the documentation on nftables is not that extensive, so I am kind of stuck at the moment. From what I understand so far, this setup should allow to make a connection to the vpn but it should not allow any other incoming traffic - yet I can browse the web without problems. Does anyone know why it works and how i should proceed with the setup of nftables to get a more complete setup?