#!/usr/bin/nft -f
# vim:set ts=2 sw=2 et:
# {{ ansible_managed }} {{ ansible_date_time.time }} {{ ansible_date_time.date }}

table ip filter {
  chain input {
    type filter hook input priority 0; policy drop;

    # allow established/related connections
    ct state { established, related } accept

    # early drop of invalid connections
    ct state invalid drop

    # allow from loopback
    iifname lo accept

    # allow icmp
    ip protocol icmp accept

    iifname "br0" tcp dport {{ ssh_port }} accept comment "SSH"
    iifname "br0" tcp dport { {{ http_port }}, {{ https_port }} } accept comment "HTTP/HTTPS"

    iifname "br0" tcp dport {{ vpn_mobile_port }} accept comment "OpenVPN TCP"
    iifname "br0" udp dport {{ vpn_mobile_port }} accept comment "OpenVPN UDP"
    iifname "br0" tcp dport {{ vpn_lan_port }} accept comment "OpenVPN LAN TCP"
    iifname "br0" udp dport {{ vpn_lan_port }} accept comment "OpenVPN LAN UDP"

    iifname { "tun0", "tun1" } tcp dport { {{ http_port }}, {{ https_port }} } ip saddr { 10.8.0.0/24, 10.8.1.0/24 } ip daddr 10.8.0.1/32 accept comment "HTTP/HTTPS"
    iifname { "tun0", "tun1" } tcp dport {{ transmission_port }} ip saddr { 10.8.0.0/24, 10.8.1.0/24 } ip daddr 10.8.0.1/32 accept comment "Transmission"
    iifname { "tun0", "tun1" } tcp dport { {{ syncthing_gui_port }}, {{ syncthing_protocol_port }} } ip saddr { 10.8.0.0/24, 10.8.1.0/24 } ip daddr 10.8.0.1/32 accept comment "Syncthing"
    iifname { "tun0", "tun1" } tcp dport {{ mpd_port }} ip saddr { 10.8.0.0/24, 10.8.1.0/24 } ip daddr 10.8.0.1/32 accept comment "MPD"
    iifname { "tun0", "tun1" } tcp dport {{ nfs_port }} ip saddr { 10.8.0.0/24, 10.8.1.0/24 } ip daddr 10.8.0.1/32 accept comment "NFS"
  }
}