#!/usr/sbin/nft -f

## Variables

# Interfaces
define if_net1_v4_wan = "net1"
define if_net2_v6_wan = "net2"
define if_net0_2_v4_nat = "net0.2"
define if_net0_3_ci_runner = "net0.3"

# Interface Groups
define wan_ifs = { $if_net1_v4_wan,
                   $if_net2_v6_wan }
define lan_ifs = { $if_net0_2_v4_nat,
                   $if_net0_3_ci_runner }


## Rules

table inet reverse-path-forwarding {
    chain rpf-filter {
        type filter hook prerouting priority mangle + 10; policy drop;

        # Only allow packets if their source address is routed via their incoming interface.
        # https://github.com/NixOS/nixpkgs/blob/d9d87c51960050e89c79e4025082ed965e770d68/nixos/modules/services/networking/firewall-nftables.nix#L100
        fib saddr . mark . iif oif exists accept
    }
}

table inet host {
    chain input {
        type filter hook input priority filter; policy drop;

        iifname "lo" accept comment "allow loopback"

        ct state invalid drop
        ct state established,related accept

		ip protocol icmp accept
		ip6 nexthdr icmpv6 accept

        # Allow SSH access.
        tcp dport 22 accept comment "allow ssh access"

        # Allow DHCP server access.
		iifname $if_net0_3_ci_runner udp dport 67 accept comment "allow dhcp server access"
    }
}

table ip v4nat {
    chain prerouting {
        type nat hook prerouting priority dstnat; policy accept;
    }

    chain postrouting {
        type nat hook postrouting priority srcnat; policy accept;

        oifname $if_net1_v4_wan masquerade
    }
}

table inet forward {
    chain forward {
        type filter hook forward priority filter; policy drop;

        ct state invalid drop
        ct state established,related accept

        # Allow internet access.
		meta nfproto ipv6 iifname $lan_ifs oifname $if_net2_v6_wan accept comment "allow v6 internet access"
		meta nfproto ipv4 iifname $lan_ifs oifname $if_net1_v4_wan accept comment "allow v4 internet access"
    }
}