allowed_services:
  - ssh
  - http
  - https

nftables_tables:
  - name: firewall
    family: inet
    chains:
      - name: "input"
        base:
          type: "filter"
          hook: "input"
          priority: 0
          policy: "drop"
        rules:
          - position: 1
            statement: "iif lo accept"
          - position: 2
            statement: 'ct state invalid log prefix "FW:DROP:" drop'
            comment: "Log and drop invalid packets."
          - position: 3
            statement: "ct state established,related accept"
          - position: 10
            statement: "ip6 nexthdr icmpv6 icmpv6 type {nd-neighbor-solicit,echo-request,nd-router-advert,nd-neighbor-advert} accept"
          - position: 11
            statement: "tcp dport {{ '{' + ', '.join(allowed_services) }}} accept"

      - name: "forward"
        base:
          type: "filter"
          hook: "forward"
          priority: 0
          policy: "accept"

      - name: "output"
        base:
          type: "filter"
          hook: "output"
          priority: 0
          policy: "accept"
        rules:
          - position: 1
            statement: ""
#            statement: "ip daddr 192.0.2.100 counter"

  - name: nat
    family: ip
    chains:
      - name: "prerouting"
        base:
          type: "nat"
          hook: "prerouting"
          priority: 0
        rules:
#          - position: 1
#            statement: "iif wlp1s0 tcp dport { 2222 } dnat 192.168.10.176:22"
          - position: 1
            statement: ""

      - name: "postrouting"
        base:
          type: "nat"
          hook: "postrouting"
          priority: 100
        rules:
          - position: 1
            statement: "masquerade random,persistent"