#!/usr/sbin/nft -f

flush ruleset

table inet filter {
	chain input {
		type filter hook input priority 0; policy accept;

		# Accept any localhost and libvirt traffic.
		iif "lo" accept
		iifname "virbr0" accept

		# Accept traffic originated from us.
		ct state established,related accept

		# Open ports for public services.
		tcp dport    22 ct state new accept  # SSH
		tcp dport  5353 ct state new accept  # Bonjour
		udp dport  5353 ct state new accept  # Bonjour
		tcp dport  8000 ct state new accept  # Python HTTP server.

		# Accept neighbour discovery otherwise IPv6 connectivity breaks.
		ip6 nexthdr icmpv6 icmpv6 type { nd-neighbor-solicit,  nd-router-advert, nd-neighbor-advert } accept

		# Count and drop any other traffic.
		counter drop
	}

	chain forward {
		type filter hook forward priority 0; policy accept;
	}

	chain output {
		type filter hook output priority 0; policy accept;
	}
}

table ip nat {
	chain postrouting {
		type nat hook postrouting priority 100;

		# Masquerade NAT traffic (useful for VMs).
		masquerade
	}
}