ansible-role-firewall/templates/nftables.conf.j2

#jinja2:lstrip_blocks: True
#!/usr/sbin/nft -f

{%- macro nftrule(name, rule) -%}
	{{rule.matches }} {{ rule.statement }} comment "{{ name }}"
{% endmacro %}

{%- macro nftchain(name) -%}
	{% for i in firewall.chains[name] %}
		{% if not firewall.chains[name][i] is mapping %}
			{% set tmprule = { 'matches': firewall.chains[name][i] }%}
		{% else %}
			{% set tmprule = firewall.chains[name][i] %}
		{% endif%}
		{% set rule = {}|combine(firewall.defaults.all, firewall.defaults[name], tmprule, recursive=True) %}
		{{ nftrule(i, rule) }}
	{% endfor %}
{% endmacro%}

flush ruleset

table inet filter {
	chain input {
		type filter hook input priority 0;
		policy {{ firewall.policies.input }};

		iif lo accept comment "Accept any localhost traffic"
		ct state invalid drop comment "Drop invalid connections"
		ct state established,related accept comment "Accept traffic originated from us"

		ip6 nexthdr icmpv6 accept comment "Accept ICMPv6"
		ip protocol icmp accept comment "Accept ICMP"
		ip protocol igmp accept comment "Accept IGMP"

{{ nftchain('input') }}

		counter comment "Count dropped"

	}
	chain forward {
		type filter hook forward priority 0;
		policy {{ firewall.policies.forward }};

{{ nftchain('forward') }}

		counter comment "Count dropped"
	}
	chain output {
		type filter hook output priority 0;
		policy {{ firewall.policies.output }};

{{ nftchain('output') }}
	}
}

include "/etc/nftables.d/*.nft"