# {{ ansible_managed }}
# vim:set ts=2 sw=2 et:

flush ruleset

table ip filter {
  chain prerouting {
    type nat hook prerouting priority -100;

    iifname {{ vpn_interface }} tcp dport {{ syncthing_protocol_port }} ip saddr {{ vpn_subnet }} ip daddr {{ syncthing_nginx_ip }} dnat to {{ syncthing_app_ip }}
  }

  chain input {
    type filter hook input priority 0; policy drop;

    # allow established/related connections
    ct state { established, related } accept

    # early drop of invalid connections
    ct state invalid drop

    # allow from loopback
    iifname lo accept

    # allow icmp
    ip protocol icmp accept

    iifname vmap {
      {{ network_interface }} : goto wlan_chain,
      {{ vpn_interface }} : goto vpn_chain,
      {{ vpn_media_interface }} : goto media_vpn_chain
    }

    log
  }

  chain wlan_chain {
    tcp dport {{ ssh_port }} accept comment "SSH"
    tcp dport {{ forgejo_ssh_port }} accept comment "Forgejo SSH"
    tcp dport { {{ http_port }}, {{ https_port }} } accept comment "HTTP/HTTPS"

    udp dport {{ vpn_port }} accept comment "Wireguard"
    udp dport {{ vpn_media_port }} accept comment "Wireguard media"
  }

  set vpn_set {
    typeof ip saddr . ip daddr
    flags interval
    elements = { {{ vpn_subnet }} . {{ vpn_listen_address }}/{{ vpn_prefix }} }
  }

  chain vpn_chain {
    meta l4proto { tcp, udp } th dport 53 ip saddr . ip daddr @vpn_set accept comment "DNS"

    tcp dport { {{ http_port }}, {{ https_port }} } ip saddr . ip daddr @vpn_set accept comment "HTTP/HTTPS" # TODO: remove?

    tcp dport 80 ip saddr {{ vpn_subnet }} ip daddr {{ transmission_nginx_ip }} accept comment "Transmission Web"

    tcp dport { 80, 443 } ip saddr {{ vpn_subnet }} ip daddr {{ syncthing_nginx_ip }} accept comment "Syncthing Web"
    tcp dport {{ syncthing_protocol_port }} ip saddr {{ vpn_subnet }} ip daddr {{ syncthing_app_ip }} accept comment "Syncthing protocol"

    tcp dport 80 ip saddr {{ vpn_subnet }} ip daddr {{ radicale_nginx_ip }} accept comment "Radicale"

    tcp dport {{ mpd_port }} ip saddr {{ vpn_subnet }} ip daddr {{  mpd_app_ip }} accept comment "MPD"
    tcp dport {{ mpd_http_stream_port }} ip saddr {{ vpn_subnet }} ip daddr {{ mpd_app_ip }} accept comment "MPD HTTP stream"
    tcp dport {{ mpd_http_mobile_stream_port }} ip saddr {{ vpn_subnet }} ip daddr {{ mpd_app_ip }} accept comment "MPD HTTP mobile stream"
  }

  set vpn_media_set {
    typeof ip saddr . ip daddr
    flags interval
    elements = { {{ vpn_media_subnet }} . {{ vpn_media_listen_address }}/{{ vpn_media_prefix }} }
  }

  chain media_vpn_chain {
    meta l4proto { tcp, udp } th dport 53 ip saddr . ip daddr @vpn_media_set accept comment "DNS"

    tcp dport { 80, 443 } ip saddr {{ vpn_media_subnet }} ip daddr {{ jellyfin_nginx_ip }} accept comment "Jellyfin"
  }

  # docker's user configurable forward hook chain
  chain DOCKER-USER {
    iifname {{ vpn_interface }} ip saddr {{ vpn_subnet }} ip daddr {{ transmission_nginx_ip }} accept
    iifname {{ vpn_interface }} ip saddr {{ vpn_subnet }} ip daddr {{ syncthing_nginx_ip }} accept
    iifname {{ vpn_interface }} ip saddr {{ vpn_subnet }} ip daddr {{ radicale_nginx_ip }} accept
    iifname {{ vpn_interface }} ip saddr {{ vpn_subnet }} ip daddr {{ mpd_app_ip }} accept

    iifname {{ vpn_media_interface }} ip saddr {{ vpn_media_subnet }} ip daddr {{ jellyfin_nginx_ip }} accept
  }
}