#!/usr/bin/nft -f
# vim:set ts=2 sw=2 et:

flush ruleset

table inet filter {
  chain input {
    type filter hook input priority 0; policy drop;

    # allow established/related connections
    ct state { established, related } accept

    # early drop of invalid connections
    ct state invalid drop

    # allow from loopback
    iifname lo accept

    # allow icmp
    ip protocol icmp accept
    ip6 nexthdr icmpv6 accept

    # allow ssh
    tcp dport ssh accept

    # syncthing
    ip saddr 10.0.0.1 tcp dport 22000 accept
  }

  chain forward {
    type filter hook forward priority security; policy drop;

    ct state { established, related } accept;

		mark 1 accept
  }
}

table ip filter {
	chain DOCKER-USER {
		mark set 1
	}
}