#!/usr/sbin/nft -f
################################################
### Managed by someone's ansible provisioner ###
################################################
# Part of: https://git.somenet.org/root/pub/somesible.git
# 2017-2025 by someone <someone@somenet.org>
#

flush ruleset

table inet filter {
#    ct helper ftp-standard { type "ftp" protocol tcp; }
#
#    chain RAW {
#        type filter hook prerouting priority raw; policy accept;
#
#        # accept any inside traffic.
#        iifname "lo" counter accept
#
#        # accept all other traffic, by policy.
#    }

    chain PRE {
        type filter hook prerouting priority -150; policy accept;

        # accept any inside traffic.
        iifname "lo" counter accept

        # incoming, public facing traffic.
        counter jump PRE_outside

        # accept any other traffic - should not happen.
        counter log prefix "NFT:PRE:ACCEPT-unk; " accept
    }

    chain PRE_outside {
        # mark outside-initiated incoming connections.
        ct state new meta mark set 2 ct mark set meta mark

        # accept neighbour discovery otherwise IPv6 connectivity breaks.
        ip6 nexthdr icmpv6 icmpv6 type { nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert} counter accept
        ip protocol icmp icmp type { echo-request} counter accept

        # accept connections to these services.
        tcp dport 2 counter accept

        # switch to something better than ftp, ssh/sftp for example, but if you must, use the ftp conntrack helper.
#        tcp dport 21 ct state new ct helper set "ftp-standard" counter accept

        # accept traffic originated from us.
        ct state established,related counter accept

        # accept any other traffic.
        counter accept
#        counter log prefix "NFT:PRE_outside:ACCEPT-all; " accept
    }

#    chain INPUT {
#        type filter hook input priority 0; policy accept;
#        counter accept
#    }
#    chain FORWARD {
#        type filter hook forward priority 0; policy accept;
#        counter accept
#    }
#    chain OUTPUT {
#        type filter hook output priority 0; policy accept;
#        counter accept
#    }

    chain POST {
        type filter hook postrouting priority 150; policy accept;

        # accept any inside traffic.
        oifname "lo" counter accept

        # outgoing, public facing traffic.
        counter jump POST_outside

        # accept any other traffic - should not happen.
        counter log prefix "NFT:POST:ACCEPT-unk; " accept
    }

    chain POST_outside {
        # mark inside-initiated outgoing traffic.
        ct mark 0 meta mark set 1 ct mark set meta mark

        # accept all traffic.
        counter accept
#        counter log prefix "NFT:POST_outside:ACCEPT-all; " accept
    }
}


#table ip nat {
#    chain NAT_PRE {
#        type nat hook prerouting priority dstnat; policy accept;
#        meta l4proto tcp ip daddr 127.0.0.1 tcp dport 80 counter redirect to :1080
#        meta l4proto tcp ip daddr 127.0.0.1 tcp dport 443 counter redirect to :10443
#    }
#    chain NAT_POST {
#        type nat hook postrouting priority 100; policy accept;
#        oifname "eth0" counter masquerade fully-random,persistent
#    }
#}