#!/usr/sbin/nft -f

flush ruleset

table inet filter {
    chain input {
        type filter hook input priority 0
        policy drop

        tcp flags syn tcp option maxseg size 1-500 drop

        ct state { established, related } accept
        ct state invalid drop

        iif lo accept

% for address in sorted(blocked_v4):
        ip saddr ${address} drop
% endfor
% for address in sorted(blocked_v6):
        ip6 saddr ${address} drop
% endfor

        icmp type timestamp-request drop
        icmp type timestamp-reply drop
        ip protocol icmp accept

        ip6 nexthdr ipv6-icmp accept
% for ruleset, rules in sorted(input.items()):

        # ${ruleset}
%  for rule in rules:
        ${rule}
%  endfor
% endfor
    }

    chain output {
        type filter hook output priority 0
        policy accept
    }

    chain forward {
        type filter hook forward priority 0
        policy drop

        icmp type timestamp-request drop
        icmp type timestamp-reply drop
% for ruleset, rules in sorted(forward.items()):

        # ${ruleset}
%  for rule in rules:
        ${rule}
%  endfor
% endfor
    }
}

table nat {
    chain prerouting {
        type nat hook prerouting priority -100
% for ruleset, rules in sorted(prerouting.items()):

        # ${ruleset}
%  for rule in rules:
        ${rule}
%  endfor
% endfor
    }
    chain postrouting {
        type nat hook postrouting priority 100
% for ruleset, rules in sorted(postrouting.items()):

        # ${ruleset}
%  for rule in rules:
        ${rule}
%  endfor
% endfor
    }
}

include "/etc/nftables-rules.d/*-*"