# {{ ansible_managed }} {{ ansible_date_time.time }} {{ ansible_date_time.date }}
#
#!/usr/bin/nft -f
# vim:set ts=2 sw=2 et:

flush ruleset

table inet filter {
  chain input {
    type filter hook input priority 0; policy drop;

    # allow established/related connections
    ct state { established, related } accept

    # early drop of invalid connections
    ct state invalid drop

    # allow from loopback
    iifname lo accept

    # allow icmp
    ip protocol icmp accept
    ip6 nexthdr icmpv6 accept

    # allow ssh
    tcp dport ssh accept

    # syncthing
    ip saddr 10.8.1.1 tcp dport 22000 accept

    # allow dhcp requests for bridged connections
    iifname "vmbr0" udp dport { 53, 67 } accept
  }

  chain forward {
    type filter hook forward priority security; policy drop;

    ct state { established, related } accept;

		mark 1 accept

    iifname "vmbr0" oifname "wlan0" accept
    iifname "wlan0" oifname "vmbr0" accept
  }
}

table ip filter {
	chain DOCKER-USER {
		mark set 1
	}
}

table ip nat {
  chain prerouting {
    type nat hook prerouting priority 0; policy accept;

    # iifname "wlan0" tcp dport { http } dnat to 10.4.0.243
  }

  chain postrouting {
    type nat hook postrouting priority 0; policy accept;

    oifname "wlan0" masquerade
  }
}