#!/usr/sbin/nft -f

flush ruleset

table inet filter {

  # INPUT

  chain input {
    type filter hook input priority 0
    policy drop

    # allow loopback
    iifname lo accept
    # allow established
    ct state vmap { established : accept, related : accept, invalid : drop }
    # allow ping
    icmp type echo-request accept
    icmpv6 type echo-request accept
    # allow neighbour discovery
    icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept

    # rules
% for rule in sorted(input):
    ${rule}
% endfor
  }

  # FORWARD

  chain forward {
    type filter hook forward priority 0
    policy accept

    # rules
% for rule in sorted(forward):
    ${rule}
% endfor
  }

  # OUTPUT

  chain output {
    type filter hook output priority 0
    policy accept

    # rules
% for rule in sorted(output):
    ${rule}
% endfor
  }
}