#!/usb/sbin/nft -f

flush ruleset

table inet filter {
    chain input {
        type filter hook input priority 0
        policy drop

        tcp flags syn tcp option maxseg size 1-500 drop

        ct state { established, related } accept
        ct state invalid drop

        iif lo accept

        icmp type timestamp-request drop
        icmp type timestamp-reply drop
        ip protocol icmp accept

        ip6 nexthdr ipv6-icmp accept
% for ruleset, rules in sorted(node.metadata.get('nftables/rules/input', {}).items()):

        # ${ruleset}
%  for rule in rules:
        ${rule}
%  endfor
        # / ${ruleset}
% endfor
    }

    chain output {
        type filter hook output priority 0
        policy accept
    }

    chain forward {
        type filter hook forward priority 0
        policy drop

        icmp type timestamp-request drop
        icmp type timestamp-reply drop

% for ruleset, rules in sorted(node.metadata.get('nftables/rules/forward', {}).items()):

        # ${ruleset}
%  for rule in rules:
        ${rule}
%  endfor
        # / ${ruleset}
% endfor
    }
}

table nat {
    chain prerouting {
        type nat hook prerouting priority -100

% for rule in sorted(node.metadata.get('nftables/rules/nat_prerouting', [])):
        ${rule}
% endfor
    }
    chain postrouting {
        type nat hook postrouting priority 100

% for rule in sorted(node.metadata.get('nftables/rules/nat_postrouting', [])):
        ${rule}
% endfor
    }
}

include "/etc/nftables-rules.d/*-*"