From a4f00a90ab36917c22cfc462b2914a033fb764f0 Mon Sep 17 00:00:00 2001
From: Simon Cornet <simon@simoncor.net>
Date: Tue, 17 Feb 2026 08:59:03 +0100
Subject: [PATCH] fix: nftables file location

---
 tasks/firewall.yaml                             | 4 ++--
 templates/{nftables.conf.j2 => nftables.nft.j2} | 9 +++------
 2 files changed, 5 insertions(+), 8 deletions(-)
 rename templates/{nftables.conf.j2 => nftables.nft.j2} (94%)

diff --git a/tasks/firewall.yaml b/tasks/firewall.yaml
index 7e9b697..6077a24 100644
--- a/tasks/firewall.yaml
+++ b/tasks/firewall.yaml
@@ -3,8 +3,8 @@
 # deploy nftables rules
 - name: "firewall - nftables rules"
   ansible.builtin.template:
-    src: "nftables.conf.j2"
-    dest: "/etc/nftables.conf"
+    src: "nftables.nft.j2"
+    dest: "/etc/nftables.nft"
     mode: "0600"
     owner: "root"
     group: "root"
diff --git a/templates/nftables.conf.j2 b/templates/nftables.nft.j2
similarity index 94%
rename from templates/nftables.conf.j2
rename to templates/nftables.nft.j2
index d2df6af..2d0e955 100644
--- a/templates/nftables.conf.j2
+++ b/templates/nftables.nft.j2
@@ -12,18 +12,15 @@ table inet filter {
         # Allow loopback
         iif lo accept
 
-        # Allow LAN management access
-        iif {{ lan_interface }} accept
+# Allow ICMP
+        ip protocol icmp accept
+        ip6 nexthdr ipv6-icmp accept
 
         # Allow incoming firewall rules
 {% for rule in incoming_firewall_rules %}
         # {{ rule.name }}
         iif {{ lan_interface }} ip saddr {{ rule.source }} {{ rule.protocol | default('tcp') }} dport {{ rule.port }} accept
 {% endfor %}
-
-        # Allow ICMP
-        ip protocol icmp accept
-        ip6 nexthdr ipv6-icmp accept
     }
 
     chain forward {