allowed_services:
  - ssh
  - http
  - https

nftables_tables:
  - name: firewall
    family: inet
    chains:
      - name: "input"
        base:
          type: "filter"
          hook: "input"
          priority: 0
          policy: "drop"
        rules:
          - position: 1
            statement: "iif lo accept"
          - position: 2
            statement: 'ct state invalid log prefix "FW:DROP:" drop'
            comment: "Log and drop invalid packets."
          - position: 3
            statement: "ct state established,related accept"
          - position: 10
            statement: "ip6 nexthdr icmpv6 icmpv6 type {nd-neighbor-solicit,echo-request,nd-router-advert,nd-neighbor-advert} accept"
          - position: 11
            statement: "tcp dport {{ '{' + ', '.join(allowed_services) }}} accept"

      - name: "forward"
        base:
          type: "filter"
          hook: "forward"
          priority: 0
          policy: "accept"

      - name: "output"
        base:
          type: "filter"
          hook: "output"
          priority: 0
          policy: "accept"
        rules:
          - position: 1
            statement: ""
#            statement: "ip daddr 192.0.2.100 counter"