#!/usr/sbin/nft -f
# {{ ansible_managed }}

flush ruleset

table inet filter {
  chain input {
    type filter hook input priority 0;

    # accept any localhost traffic
    iif lo accept

    # accept traffic originated from us
    ct state established,related accept

    # accept neighbour discovery otherwise IPv6 connectivity breaks.
    ip6 nexthdr icmpv6 icmpv6 type {nd-neighbor-solicit,  nd-router-advert, nd-neighbor-advert} accept

    # include specifics rules
    include "/srv/nftables/rules_*.conf"

    # count and drop any other traffic
    counter drop
  }
}

# include more tables
include "/srv/nftables/tables_*.conf"