rework firewall setup

bundles/nftables/files/nftables.conf

@@ -19,6 +19,13 @@ table inet filter {
         ip protocol icmp accept
 
         ip6 nexthdr ipv6-icmp accept
+% for ruleset, rules in sorted(input.items()):
+
+        # ${ruleset}
+%  for rule in rules:
+        ${rule}
+%  endfor
+% endfor
     }
 
     chain output {
@@ -32,15 +39,36 @@ table inet filter {
 
         icmp type timestamp-request drop
         icmp type timestamp-reply drop
+% for ruleset, rules in sorted(forward.items()):
+
+        # ${ruleset}
+%  for rule in rules:
+        ${rule}
+%  endfor
+% endfor
     }
 }
 
 table nat {
     chain prerouting {
         type nat hook prerouting priority -100
+% for ruleset, rules in sorted(prerouting.items()):
+
+        # ${ruleset}
+%  for rule in rules:
+        ${rule}
+%  endfor
+% endfor
     }
     chain postrouting {
         type nat hook postrouting priority 100
+% for ruleset, rules in sorted(postrouting.items()):
+
+        # ${ruleset}
+%  for rule in rules:
+        ${rule}
+%  endfor
+% endfor
     }
 }