define NAT_LAN_IFACES = { "br-lan" }
define PHYSICAL_WAN = "enp1s0"
define NAT_WAN_IFACES = { $PHYSICAL_WAN }

table inet filter {
	chain forward {
		type filter hook forward priority filter; policy drop

		# allow traffic between lan and wan
		iifname $NAT_LAN_IFACES oifname $NAT_WAN_IFACES counter accept
		iifname $NAT_WAN_IFACES oifname $NAT_LAN_IFACES ct state established,related counter accept
	}
}

table inet nat {
	chain postrouting {
		type nat hook postrouting priority filter; policy accept
		oifname $NAT_WAN_IFACES masquerade
	}
}

# Only allow select connections from and to (physical) wan,
# overriding NixOS firewall in some cases.
table inet restrict-wan {
	# Priorities must be higher than filter (0),
	# which the NixOS firewall uses.
	chain input {
		type filter hook input priority -50; policy accept

		# accept responses
		iifname $PHYSICAL_WAN ct state established,related counter accept

		# accept icmpv6
		iifname $PHYSICAL_WAN icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept

		# drop everything else
		iifname $PHYSICAL_WAN counter drop
	}

	# This handles all packets (local and forwarded)
	chain postrouting {
		type filter hook postrouting priority 0; policy accept

		# accept connections over physical wan
		oifname $PHYSICAL_WAN counter accept
	}
}

# Tracing infrastructure, can be used for debugging (nft monitor trace)
table inet trace {
	chain prerouting {
		type filter hook prerouting priority raw - 1
		jump common
	}

	chain output {
		type filter hook output priority raw - 1
		jump common
	}

	chain common {
		# Add tracing rule here
		# … meta nftrace set 1
		# DO NOT COMMIT ANY TRACING RULES
	}
}