{{ ansible_managed | comment }}

table inet input {

	chain conntrack {
		ct state vmap {
			established: accept,
			related: accept,
			invalid: drop,
		}
	}

	chain input_from_server {
		jump conntrack

		ip6 saddr $prom_infra_ipv6 tcp dport 9100 accept
		ip saddr $prom_infra_ipv4 tcp dport 9100 accept
	}

	chain input_from_backbone {
		ip6 nexthdr { ospf, vrrp } accept
		ip protocol { ospf, vrrp } accept
		counter accept  # FIXME: temporary
	}

	chain input_from_router {
		jump conntrack

		tcp dport ssh counter accept
	}

	chain input_from_bastion {
		jump conntrack

		tcp dport ssh counter accept
	}

	chain input_from_anywhere {
		jump conntrack

		# FIXME: limit
		ip6 nexthdr icmpv6 counter accept
		ip protocol icmp counter accept
	}

	chain input {
		type filter hook input priority filter
		policy drop

		iif lo accept

		jump input_from_anywhere

		# FIXME: temporary
		tcp dport ssh accept

		ip6 saddr vmap {
			$backbone_ipv6: jump input_from_backbone,
			$router_ipv6: jump input_from_router,
		}

		ip saddr vmap {
			$backbone_ipv4: jump input_from_backbone,
			$router_ipv4: jump input_from_router,
		}

		reject with icmpx type admin-prohibited
	}

}