#!/usr/sbin/nft -f

flush ruleset

table inet filter {
    chain input {
        type filter hook input priority filter; policy drop

        ct state vmap { invalid : drop, established : accept, related : accept }
        iif lo accept

        ip protocol icmp icmp type {
            echo-request, echo-reply, destination-unreachable,
            parameter-problem, time-exceeded,
        } accept comment "accept some ICMPv4"

        ip6 nexthdr icmpv6 icmpv6 type {
            echo-request, echo-reply, destination-unreachable,
            packet-too-big, parameter-problem, time-exceeded,
        } accept comment "accept some ICMPv6"

        ip6 hoplimit 255 ip6 nexthdr icmpv6 icmpv6 type {
            nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert, nd-router-solicit
        } accept comment "accept IPv6 neighbor discovery"
    }
}

include "/etc/nftables.d/*.nft"