#!/usr/sbin/nft -f
# {{ ansible_managed }}

flush ruleset

#table ip nat {
#
#	chain prerouting {
#		type nat hook prerouting priority -100
#		policy accept
#	}
#
#	chain postrouting {
#		type nat hook prerouting priority 100
#		policy accept
#
#		#{% for endpoint in wireguard_endpoints %}
#		#oifname "{{ endpoint.name }}" masquerade
#		#{% endfor %}
#	}
#
#}

table inet filter {

	set blacklist_v4 {
		type ipv4_addr
	}

	set blacklist_v6 {
		type ipv6_addr
	}

	chain blacklist {
		ip saddr @blacklist_v4 drop
		ip6 saddr @blacklist_v6 drop
	}

	chain conntrack {
		ct state invalid drop
		ct state related, established accept
	}

	chain input {
		type filter hook input priority 0
		policy drop

		iif lo accept

		jump blacklist
		jump conntrack

		# TODO: ansible + separate nftables module
		ip protocol icmp accept

		{% for rule in nftables_basic_input_rules %}
		{{ rule.proto }} \
			{% if "saddr" in rule %} saddr {{ rule.saddr }} \ {% endif %}
			{% if "sport" in rule %} sport {{ rule.sport }} \ {% endif %}
			{% if "daddr" in rule %} daddr {{ rule.daddr }} \ {% endif %}
			{% if "dport" in rule %} dport {{ rule.dport }} \ {% endif %}
			{{ rule.verdict }}
		{% endfor %}
	}

	chain forward {
		type filter hook forward priority 0
		policy drop

		iif lo accept

		jump blacklist
		jump conntrack

		{% for endpoint in wireguard_endpoints %}
		iifname "{{ endpoint.name }}" accept
		{% endfor %}
	}

	chain output {
		type filter hook output priority 0
		policy accept
	}

}