#jinja2:lstrip_blocks: True
#!/usr/sbin/nft -f

{%- macro nftrule(rule) -%}
	{{rule.matches }} {% if not rule.statement == "counter" or not rule.counter %}counter {% endif %}{{ rule.statement }} comment "{{ rule.comment }}"
{% endmacro %}

{%- macro nftchain(name) -%}
	{% for rule in firewall.chains[name]|expand_nft_rules([firewall.defaults.all, firewall.defaults[name]])|sort(attribute='priority') %}
		{{ nftrule(rule) }}
	{% endfor %}
{% endmacro%}

flush ruleset

{% for i in firewall.vars %}
define {{ i }} = { {{ firewall.vars[i]|join(', ') }} }
{% endfor %}

table inet filter {
	chain input {
		type filter hook input priority 0;
		policy {{ firewall.policies.input }};

{{ nftchain('input') }}

		counter comment "Count dropped"

	}
	chain forward {
		type filter hook forward priority 0;
		policy {{ firewall.policies.forward }};

{{ nftchain('forward') }}

		counter comment "Count dropped"
	}
	chain output {
		type filter hook output priority 0;
		policy {{ firewall.policies.output }};

{{ nftchain('output') }}
	}
}

table ip nat {
# NAT
	chain prerouting {
		type nat hook prerouting priority -100;

{{ nftchain('nat_prerouting') }}
	}
	chain postrouting {
		type nat hook postrouting priority 100;

{{ nftchain('nat_postrouting') }}
	}
}

table ip6 nat {
# NAT
	chain prerouting {
		type nat hook prerouting priority -100;

{{ nftchain('nat6_prerouting') }}
	}
	chain postrouting {
		type nat hook postrouting priority 100;

{{ nftchain('nat6_postrouting') }}
	}
}

include "/etc/nftables.d/*.nft"