# {{ ansible_managed }} {{ ansible_date_time.time }} {{ ansible_date_time.date }}
#
#!/usr/bin/nft -f
# vim:set ts=2 sw=2 et:

table inet filter {
  chain input {
    type filter hook input priority 0;

    # allow established/related connections
    ct state { established, related } accept

    # early drop of invalid connections
    ct state invalid drop

    # allow from loopback
    iifname lo accept

    # allow icmp
    ip protocol icmp accept
    ip6 nexthdr icmpv6 accept

    # allow ssh
    tcp dport ssh accept

    # syncthing
    ip saddr 10.8.1.1 tcp dport 22000 accept

    # allow dhcp requests for bridget connections
    iifname "vmbr0" udp dport { 53, 67 } accept

    # everything else
    reject with icmpx type port-unreachable
  }

  chain forward {
    type filter hook forward priority security; policy drop;

    ct state { established, related } accept;

    mark 1 accept

    iifname "vmbr0" oifname "enp34s0" accept
    iifname "enp34s0" oifname "vmbr0" accept
  }
}

table ip filter {
  chain DOCKER-USER {
    mark set 1
  }
}

table ip nat {
  chain prerouting {
    type nat hook prerouting priority 0; policy accept;

    # iifname "enp34s0" tcp dport { http } dnat to 10.4.0.243
  }

  chain postrouting {
    type nat hook postrouting priority 0; policy accept;
    oifname "enp34s0" masquerade
  }
}