#!/usr/sbin/nft -f

flush ruleset

table ip filter {
    chain INPUT {
        type filter hook input priority 0; policy accept
        ct state vmap { established : accept, related : accept }
        ip protocol icmp accept
        iifname lo accept
{% if firewall_raw is defined %}
{%   for rule in firewall_raw %}
        {{ rule }}
{%   endfor %}
{% endif %}
{% for rule in firewall_in %}
{%   if rule.from is defined %}
{%     for from in rule.from %}
{%       if not from | ansible.utils.ipv4 and not from | ansible.utils.ipv6 %}
{%         set from = lookup('dig', from) %}
{%       endif %}
{%       if from | ansible.utils.ipv4 %}
        ip saddr {{ from }} {{ rule.proto }} dport {{ rule.port }} accept
{%       endif %}
{%     endfor %}
{%   else %}
        {{ rule.proto }} dport {{ rule.port }} accept
{%   endif %}
{% endfor %}
        reject with icmp type host-prohibited
    }
    chain FORWARD {
        type filter hook forward priority 0; policy drop
        reject with icmp type host-prohibited
    }
}

table ip6 filter {
    chain INPUT {
        type filter hook input priority 0; policy accept
        ct state vmap { established : accept, related : accept }
        ip6 nexthdr icmpv6 accept
{% if firewall_raw6 is defined %}
{%   for rule in firewall_raw6 %}
        {{ rule }}
{%   endfor %}
{% endif %}
{% for rule in firewall_in %}
{%   if rule.from is defined %}
{%     for from in rule.from %}
{%       if not from | ansible.utils.ipv4 and not from | ansible.utils.ipv6 %}
{%         set from = lookup('dig', from) %}
{%       endif %}
{%       if from | ansible.utils.ipv6 %}
        ip6 saddr {{ from }} {{ rule.proto }} dport {{ rule.port }} accept
{%       endif %}
{%     endfor %}
{%   else %}
        {{ rule.proto }} dport {{ rule.port }} accept
{%   endif %}
{% endfor %}
        reject with icmpv6 type admin-prohibited
    }
    chain FORWARD {
        type filter hook forward priority 0; policy drop
        reject with icmpv6 type admin-prohibited
    }
}