{% set fw = inventory_hostname.split('-')[1]|int -%}

Sync {
	Mode FTFW {
	     # Add received rules immediately so we don’t need a
	     # signal on failover.
	     DisableExternalCache On
	}

	UDP {
		Interface {{ iface_sync }}
		IPv6_address fe80::{{ fw }}
		IPv6_Destination_Address fe80::{{ 2 if fw == 1 else 1 }}
		Port 3780

		# Recommended by manual.
		Checksum on
		RcvSocketBuffer 1249280
		SndSocketBuffer 1249280
	}

	#Options {
	#	TCPWindowTracking Off
	#}
}

General {
	UNIX {
		Path /var/run/conntrackd.ctl
	}
	Syslog on

	# Recommended by manual.
	HashLimit 524288
	NetlinkBufferSize 2097152
	NetlinkBufferSizeMaxGrowth 8388608

	Filter From Kernelspace {
		# Don’t replicate rules for traffic from/to firewall.
		Address Ignore {
			IPv4_address 127.0.0.1/8
			IPv6_address ::1/128
			IPv6_address fe80::/64 # link-local addresses
			IPv4_address {{ wg_ip }}
{% for address in interfaces | map(attribute='ip_addresses') | flatten | sort(attribute='address') %}
			IPv{{ address.family.value }}_address {{ address.address }}
{% endfor %}
		}
	}
}