#!/usr/sbin/nft -f

flush ruleset

table inet filter {

  # INPUT

	chain input {
		type filter hook input priority 0;
    policy drop;

    # Allow traffic from established and related packets, drop invalid
    ct state vmap { established : accept, related : accept, invalid : drop }

    # Allow loopback traffic.
    iifname lo accept

    # accepting ping (icmp-echo-request) for diagnostic purposes.
    icmp type echo-request limit rate 5/second accept
    icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept

    # Jump to chain according to layer 3 protocol using a verdict map
    meta protocol vmap { ip : jump inbound_ipv4, ip6 : jump inbound_ipv6 }

    #rules
% for rule in sorted(input):
    ${rule}
% endfor
	}

  chain inbound_ipv4 {
    # accepting ping (icmp-echo-request) for diagnostic purposes.
    icmp type echo-request limit rate 5/second accept
  }

  chain inbound_ipv6 {
    # accept neighbour discovery otherwise connectivity breaks
    icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept

    # accepting ping (icmpv6-echo-request) for diagnostic purposes.
    icmpv6 type echo-request limit rate 5/second accept
  }

  # FORWARD

	chain forward {
		type filter hook forward priority 0;

    #rules
% for rule in sorted(forward):
    ${rule}
% endfor
	}

  # OUTPUT

	chain output {
		type filter hook output priority 0;

% for rule in sorted(output):
    ${rule}
% endfor
	}
}