#!/usr/sbin/nft -f

flush ruleset

table inet filter {
    chain input {
        type filter hook input priority filter; policy drop

        ct state vmap { invalid : drop, established : accept, related : accept }
        iif lo accept

        ip protocol icmp icmp type {
            echo-request, echo-reply, destination-unreachable,
            parameter-problem, time-exceeded,
        } accept comment "accept some ICMPv4"

        ip6 nexthdr icmpv6 icmpv6 type {
            echo-request, echo-reply, destination-unreachable,
            packet-too-big, parameter-problem, time-exceeded,
        } accept comment "accept some ICMPv6"

        # BGP / BFD sessions
        iif lan0 ip6 saddr fe80::/64 accept
        iif lan1 ip6 saddr fe80::/64 accept

        iifname mgmt accept comment "management access"

        meta nfproto ipv6 tcp dport 80 accept comment "for certificate renewal"

{% for service in services %}
{% set prefixes = service | allowed_prefixes %}
{% set ports = service.ports | compact_numlist %}
        # service {{ service.name }}
{% if prefixes | ipv4 %}
        ip saddr { {{ prefixes | ipv4 | join(', ') }} } tcp dport { {{ ports }} } accept
{% endif %}
{% if prefixes | ipv6 %}
        ip6 saddr { {{ prefixes | ipv6 | join(', ') }} } tcp dport { {{ ports }} } accept
{% endif %}

{% endfor %}
    }

    chain forward {
        type filter hook forward priority filter; policy drop
    }

    chain output {
        type filter hook output priority filter; policy accept
    }
}