#!/usr/sbin/nft -f
# {{ ansible_managed }}

flush ruleset

table inet filter {
  chain input {
    type filter hook input priority 0;

    # Accept any localhost traffic
    iif lo accept

    # Accept traffic originated from us
    ct state established,related accept

    # Accept neighbour discovery otherwise IPv6 connectivity breaks.
    ip6 nexthdr icmpv6 icmpv6 type {nd-neighbor-solicit,  nd-router-advert, nd-neighbor-advert} accept

    # Specific rules
{% for infos in nftables_rules %}
    ## {{ infos.comment }}
    {{ infos.rules | join('\n') | indent(width=4, first=false) }}
{% if not loop.last %}

{% endif %}
{% endfor %}

    # Count and drop any other traffic
    counter drop
  }
}