move defaults to variables and clean up

templates/nftables.conf.j2

@@ -1,19 +1,22 @@
 #jinja2:lstrip_blocks: True
 #!/usr/sbin/nft -f
 
-{%- macro nftrule(name, rule) -%}
-	{{rule.matches }} {{ rule.statement }} comment "{{ name }}"
+{%- macro nftrule(rule) -%}
+	{{rule.matches }} {% if not rule.statement == "counter" %}counter {% endif %}{{ rule.statement }} comment "{{ rule.comment }}"
 {% endmacro %}
 
 {%- macro nftchain(name) -%}
+	{% set chain_rules = [] %}
 	{% for i in firewall.chains[name] %}
 		{% if not firewall.chains[name][i] is mapping %}
 			{% set tmprule = { 'matches': firewall.chains[name][i] }%}
 		{% else %}
 			{% set tmprule = firewall.chains[name][i] %}
 		{% endif%}
-		{% set rule = {}|combine(firewall.defaults.all, firewall.defaults[name], tmprule, recursive=True) %}
-		{{ nftrule(i, rule) }}
+		{% set rule = {}|combine(firewall.defaults.all, firewall.defaults[name], {'comment': i}, tmprule, recursive=True) %}{{ chain_rules.append(rule) }}
+	{% endfor %}
+	{% for rule in chain_rules|sort(attribute='priority') %}
+	{{ nftrule(rule) }}
 	{% endfor %}
 {% endmacro%}
 
@@ -28,14 +31,6 @@ table inet filter {
 		type filter hook input priority 0;
 		policy {{ firewall.policies.input }};
 
-		iif lo accept comment "Accept any localhost traffic"
-		ct state invalid drop comment "Drop invalid connections"
-		ct state established,related accept comment "Accept established (statefull)"
-
-		ip6 nexthdr icmpv6 accept comment "Accept ICMPv6"
-		ip protocol icmp accept comment "Accept ICMP"
-		ip protocol igmp accept comment "Accept IGMP"
-
 {{ nftchain('input') }}
 
 		counter comment "Count dropped"
@@ -45,9 +40,6 @@ table inet filter {
 		type filter hook forward priority 0;
 		policy {{ firewall.policies.forward }};
 
-		ct state invalid drop comment "Drop invalid connections"
-		ct state established,related accept comment "Accept established (statefull)"
-
 {{ nftchain('forward') }}
 
 		counter comment "Count dropped"