#!/usr/sbin/nft -f
################################################
### Managed by someone's ansible provisioner ###
################################################
# Part of: https://git.somenet.org/root/pub/somesible.git
# 2017-2024 by someone <someone@somenet.org>
#

flush ruleset

table inet filter {
#    ct helper ftp-standard { type "ftp" protocol tcp; }
#
#    chain raw {
#        type filter hook prerouting priority raw; policy accept;
#
#        # accept any local traffic.
#        iifname "lo" counter accept
#
#        # accept all other traffic, by policy.
#    }

    chain pre {
        type filter hook prerouting priority -150; policy accept;

        # accept any local traffic.
        iifname "lo" counter accept

        ###################################
        # incoming, public facing traffic #
        ###################################
        # mark outside-initiated incoming connections.
        ct state new meta mark set 2 ct mark set meta mark

        # accept traffic originated from us.
        ct state established,related counter accept

        # accept neighbour discovery otherwise IPv6 connectivity breaks.
        ip6 nexthdr icmpv6 icmpv6 type { nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert} counter accept
        ip protocol icmp icmp type { echo-request} counter accept

        # accept connections to these services.
        tcp dport 2 ct state new counter accept

        # switch to something better than ftp, ssh/sftp for example, but if you must, use the ftp conntrack helper.
#        tcp dport 21 ct state new ct helper set "ftp-standard" counter accept

        # count and accept any other traffic.
        counter accept
    }

#    chain input {
#        type filter hook input priority 0; policy accept;
#        counter accept
#    }
#    chain forward {
#        type filter hook forward priority 0; policy accept;
#        counter accept
#    }
#    chain output {
#        type filter hook output priority 0; policy accept;
#        counter accept
#    }

    chain post {
        type filter hook postrouting priority 150; policy accept;

        oifname "lo" counter accept

        ###################################
        # outgoing, public facing traffic #
        ###################################
        # mark inside-initiated outgoing connections.
        ct mark 0 meta mark set 1 ct mark set meta mark

        # count and accept all traffic.
        counter accept
    }
}


#table ip nat {
#    chain natPRE {
#        type nat hook prerouting priority dstnat; policy accept;
#        meta l4proto tcp ip daddr 127.0.0.1 tcp dport 80 counter redirect to :1080
#        meta l4proto tcp ip daddr 127.0.0.1 tcp dport 443 counter redirect to :10443
#    }
#    chain natPOST {
#        type nat hook postrouting priority 100; policy accept;
#        oifname "eth0" counter masquerade fully-random,persistent
#    }
#}