initial nftables config generation test

pkg/nftables/template/destination_nat_rules.tmpl

@@ -0,0 +1,3 @@
+{{range $rule := .Netfilter.DestinationNATRules}}
+    {{template "rule_match.tmpl" .Match}} {{ if $rule.Counter }} counter {{ end }} {{ if ne $rule.Comment "" }} comment "{{ $rule.Comment }}"  {{ end }}
+{{end}}

pkg/nftables/template/forward_rules.tmpl

@@ -0,0 +1,3 @@
+{{range $rule := .Netfilter.ForwardRules}}
+    {{template "rule_match.tmpl" .Match}} {{ if $rule.Counter }} counter {{ end }} {{ if ne $rule.Comment "" }} comment "{{ $rule.Comment }}"  {{ end }}
+{{end}}

pkg/nftables/template/nftables.tmpl

@@ -0,0 +1,48 @@
+#!/usr/sbin/nft -f
+
+flush ruleset
+
+# Address object ipsets
+{{template "addresses.tmpl" .}}
+
+# nfsense nftables inet (ipv4 + ipv6) table
+table inet nfsense_inet {
+
+    # Inbound Rules
+    chain inbound {
+        type filter hook input priority 0; policy drop;
+
+        # Allow traffic from established and related packets, drop invalid
+        ct state vmap { established : accept, related : accept, invalid : drop }
+
+        # allow loopback traffic, anything else jump to chain for further evaluation
+        iifname vmap { lo : accept, $DEV_WORLD : jump inbound_world, $DEV_PRIVATE : jump inbound_private }
+
+        {{template "inbound_rules.tmpl" .}}
+    }
+
+    # Forward Rules
+    chain forward {
+        type filter hook forward priority 0; policy drop;
+
+        # Allow traffic from established and related packets, drop invalid
+        ct state vmap { established : accept, related : accept, invalid : drop }
+
+        {{template "forward_rules.tmpl" .}}
+    }
+
+    # Destination NAT Rules
+    chain prerouting {
+        type nat hook prerouting priority -100; policy accept;
+
+        {{template "destination_nat_rules.tmpl" .}}
+    }
+
+    # Source NAT Rules
+    chain postrouting {
+        type nat hook postrouting priority 100; policy accept;
+
+        {{template "source_nat_rules.tmpl" .}}
+    }
+}
+

pkg/nftables/template/rule_match.tmpl

@@ -0,0 +1 @@
+    tcp dport {{ .TCPDestinationPort }}

pkg/nftables/template/source_nat_rules.tmpl

@@ -0,0 +1,3 @@
+{{range $rule := .Netfilter.SourceNATRules}}
+    {{template "rule_match.tmpl" .Match}} {{ if $rule.Counter }} counter {{ end }} {{ if ne $rule.Comment "" }} comment "{{ $rule.Comment }}"  {{ end }}
+{{end}}