shinobu/router: Switch to nftables

machines/shinobu/services/router.nix

@@ -43,13 +43,33 @@ in
   networking = {
     # networkd handles this
     useDHCP = false;
-    # networkd didn’t work that well for this
+
-    nat = {
+    nftables = {
       enable = true;
-      enableIPv6 = true;
+      ruleset = ''
-      externalInterface = "wg-upstream";
+        define NAT_LAN_IFACES = { "br-lan" }
-      internalInterfaces = [ "br-lan" ];
+        define NAT_WAN_IFACES = { "wg-upstream" }
-      internalIPv6s = [ "fd00:80:1::/64" ];
+
+        table inet filter {
+          chain forward {
+            type filter hook forward priority filter; policy drop;
+
+            iifname $NAT_LAN_IFACES oifname $NAT_WAN_IFACES counter accept;
+            iifname $NAT_WAN_IFACES oifname $NAT_LAN_IFACES ct state established,related counter accept;
+          }
+        }
+
+        table inet nat {
+          chain prerouting {
+            type nat hook prerouting priority filter; policy accept;
+          }
+
+          chain postrouting {
+            type nat hook postrouting priority filter; policy accept;
+            oifname $NAT_WAN_IFACES masquerade;
+          }
+        }
+      '';
     };
   };