#!/usr/sbin/nft -f

# {{ ansible_managed }}

flush ruleset

table inet filter {
  chain input {
    type filter hook input priority 0; policy drop
    iif lo accept
    ct state established,related accept
    ip6 nexthdr icmpv6 icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept
    ip protocol icmp icmp type echo-request accept
    tcp dport { ssh } ct state new accept
    udp dport { {{ wireguard_listenport }} } ct state new accept
    counter drop
  }
  chain forward {
    type filter hook forward priority 0; policy drop
    ct state established,related accept
    ip6 nexthdr ipv6-icmp icmpv6 type { echo-request, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept
    ip protocol icmp icmp type echo-request accept
    iifname "{{ wireguard_if }}" ct state new accept
    counter drop
  }
  chain output {
    type filter hook output priority 0;
  }

}
table ip nat {
	chain postrouting {
		type nat hook postrouting priority 100; policy accept;
		oifname "{{ wireguard_ext_if }}" masquerade
	}
}