## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }}

{%- from "nftables/map.jinja" import nftables with context %}
{%- from "nftables/map.jinja" import net with context %}

## IPv4 filtering
add table ip filter
add chain ip filter input { type filter hook input priority 0; policy drop; }
add chain ip filter forward { type filter hook forward priority 0; policy accept; }
add chain ip filter output { type filter hook output priority 0; policy accept; }
add rule ip filter input iifname lo counter accept
add rule ip filter input iifname tun* counter accept
add rule ip filter input ct state related,established counter accept
add rule ip filter input ip protocol icmp counter accept
add rule ip filter input ip saddr $blacklist drop
{%- for key, value in net.ipv4_networks.items() %}
add rule ip filter input ip saddr {{ value.ip }}/{{ value.mask }} ct state established,new counter accept
{%- endfor %}
{%- for key, value in net.public_ports.items() %}
add rule ip filter input {{ value.proto }} dport {{ value.port }} ct state established,new counter accept
{%- endfor %}
#add rule ip filter input counter log

## IPv4 NAT
add table ip nat
add chain ip nat prerouting { type nat hook prerouting priority 0; policy accept; }
add chain ip nat input { type nat hook input priority 0; policy accept; }
add chain ip nat output { type nat hook output priority 0; policy accept; }
add chain ip nat postrouting { type nat hook postrouting priority 0; policy accept; }
{%- for key, value in net.nats.items() %}
add rule ip nat postrouting ip saddr {{ value.ip }}/{{ value.mask }} counter masquerade
{%- endfor %}

## IPv6 filtering
add table ip6 filter6
add chain ip6 filter6 input { type filter hook input priority 0; policy drop; }
add chain ip6 filter6 forward { type filter hook forward priority 0; policy accept; }
add chain ip6 filter6 output { type filter hook output priority 0; policy accept; }
add rule ip6 filter6 input iifname lo counter accept
add rule ip6 filter6 input iifname tun* counter accept
add rule ip6 filter6 input ct state related,established counter accept
add rule ip6 filter6 input icmpv6 type {destination-unreachable, packet-too-big, time-exceeded, echo-request, echo-reply, mld-listener-query, mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect, parameter-problem, router-renumbering} accept
{%- for key, value in net.ipv6_networks.items() %}
add rule ip6 filter6 input ip6 saddr {{ value.ip }}/{{ value.mask }} ct state established,new counter accept
{%- endfor %}
{%- for key, value in net.public_ports.items() %}
add rule ip6 filter6 input {{ value.proto }} dport {{ value.port }} ct state established,new counter accept
{%- endfor %}
#add rule ip6 filter6 input counter log

## Endline is mandatory