#!/usr/sbin/nft -f

flush ruleset

# nfsense nftables inet (ipv4 + ipv6) table
table inet nfsense_inet {

    # Rule Counters for Forward Rules
    {{- range $i, $rule := $.Firewall.ForwardRules }}
    {{- if $rule.Counter }}
    counter fw_{{ $i }} {
        comment "{{ $rule.Name }}"
    }
    {{- end}}
    {{- end}}

    # Rule Counters for Destination NAT Rules
    {{- range $i, $rule := $.Firewall.DestinationNATRules }}
    {{- if $rule.Counter }}
    counter dnat_{{ $i }} {
        comment "{{ $rule.Name }}"
    }
    {{- end}}
    {{- end}}

    # Rule Counters for Source NAT Rules
    {{- range $i, $rule := $.Firewall.SourceNATRules }}
    {{- if $rule.Counter }}
    counter snat_{{ $i }} {
        comment "{{ $rule.Name }}"
    }
    {{- end}}
    {{- end}}

    # Inbound Rules
    chain inbound {
        type filter hook input priority 0; policy drop;

        # Allow traffic from established and related packets, drop invalid
        ct state vmap { established : accept, related : accept, invalid : drop }

        # Allow loopback traffic
        iifname lo accept
        
        # temp Allow Inbound traffic
        counter accept comment "temp inbound allow"
    }

    # Forward Rules
    chain forward {
        type filter hook forward priority 0; policy drop;

        # Allow traffic from established and related packets, drop invalid
        ct state vmap { established : accept, related : accept, invalid : drop }

        # Generated Forward Rules
        {{- range $i, $rule := $.Firewall.ForwardRules }}
        {{ addressMatcher $.Object.Addresses $rule.Match }} jump {
            {{- $baseServices := getBaseServices $.Object.Services $rule.Match.Services }}
            {{- range $service := $baseServices }}
            {{ serviceMatcher $service }}{{ if $rule.Counter }} counter name fw_{{ $i }}{{ end }} {{ $rule.Verdict.String }}
            {{- end}}
        }
        {{- end}}
    }

    # Destination NAT Rules
    chain prerouting {
        type nat hook prerouting priority -100; policy accept;

        # Generated Destination NAT Rules
        {{- range $i, $rule := $.Firewall.DestinationNATRules }}
            {{ addressMatcher $.Object.Addresses $rule.Match }} jump {
            {{- $baseServices := getBaseServices $.Object.Services $rule.Match.Services }}
            {{- range $service := $baseServices }}
            {{ serviceMatcher $service }}{{ if $rule.Counter }} counter name dnat_{{ $i }}{{ end }} {{ destinationNatAction $ $rule }}
            {{- end}}
        }
        {{- end}}
    }

    # Source NAT Rules
    chain postrouting {
        type nat hook postrouting priority 100; policy accept;

        # Generated Source NAT Rules
        {{- range $i, $rule := $.Firewall.SourceNATRules }}
            {{ addressMatcher $.Object.Addresses $rule.Match }} jump {
            {{- $baseServices := getBaseServices $.Object.Services $rule.Match.Services }}
            {{- range $service := $baseServices }}
            {{ serviceMatcher $service }}{{ if $rule.Counter }} counter name snat_{{ $i }}{{ end }} {{ sourceNatAction $ $rule }}
            {{- end}}
        }
        {{- end}}
    }
}