#!/usr/sbin/nft -f

flush ruleset

table inet filter {
    chain input {
        type filter hook input priority 0; policy drop;

        # Allow established/related
        ct state established,related accept

        # Allow loopback
        iif lo accept

# Allow ICMP
        ip protocol icmp accept
        ip6 nexthdr ipv6-icmp accept

        # Allow incoming firewall rules
{% for rule in incoming_firewall_rules %}
        # {{ rule.name }}
        iif {{ lan_interface }} ip saddr {{ rule.source }} {{ rule.protocol | default('tcp') }} dport {{ rule.port }} accept
{% endfor %}
    }

    chain forward {
        type filter hook forward priority 0; policy drop;

        # Allow established/related
        ct state established,related accept

        # Allow forwarding from LAN to anywhere
        iif {{ lan_interface }} oif {{ wan_interface }} accept
{% for forward in nat_port_forwards %}
        # {{ forward.name }}
        iif {{ wan_interface }} oif {{ lan_interface }} ip daddr {{ forward.dst }} {{ forward.protocol | default('tcp') }} dport {{ forward.port }} accept
{% endfor %}
    }

    chain output {
        type filter hook output priority 0; policy accept;
    }
}

table ip nat {
    chain postrouting {
        type nat hook postrouting priority 100; policy accept;

        # NAT masquerade from LAN to WAN
        oif {{ wan_interface }} masquerade
    }

    chain prerouting {
        type nat hook prerouting priority -100; policy accept;
{% for forward in nat_port_forwards %}
        # {{ forward.name }}
        iif {{ wan_interface }} {{ forward.protocol | default('tcp') }} dport {{ forward.port }} dnat to {{ forward.dst }}:{{ forward.port }}
{% endfor %}
    }
}