#! /home/kaber/src/nf/nft/nftables/src/nft -nf

#include "ipv4-filter"

flush table filter
delete table filter

table filter {
	chain log_drop {
		counter log prefix "drop" drop
	}

	chain log_accept {
		counter log prefix "accept" accept
	}

	chain accept_related {
		counter
		tcp dport < 1024 counter log prefix "drop-related" drop
		udp dport < 1024 counter log prefix "drop-related" drop
		ct helper "sip" counter log prefix "accept-related-sip" accept
		ct helper "ftp" counter log prefix "accept-related-ftp" accept
		ct helper "irc" counter log prefix "accept-related-irc" accept
		counter log prefix "accept-related" accept
	}

	chain accept_stateful {
		counter
		ct state vmap { established => accept, related => jump accept_related }
		counter
	}

	chain input_local {
		counter
		jump accept_stateful
		jump log_accept
	}

	chain output_local {
		counter
		jump accept_stateful
		udp dport { 123, 631, 514} accept
		jump log_accept
	}

	chain input {
		hook NF_INET_LOCAL_IN 0
		counter
		meta iif vmap {				\
			"eth0"  => jump input_local,	\
			"eth1"  => jump input_local,	\
			*	=> continue,		\
		}
		counter
	}

	chain test1 {
		counter
	}

	chain output {
		hook NF_INET_LOCAL_OUT 0
		counter

		meta oif vmap {				\
			"eth0"  => jump output_local,	\
			"eth1"  => jump output_local,	\
			*	=> continue,		\
		} counter

		meta oif {				\
			"eth0",				\
			"eth1",				\
		} counter

		ip daddr vmap {				\
			192.168.0.1 => jump test1,	\
			*	    => continue,	\
		} counter
	}
}