#!/usr/bin/nft -f
# vim:set ts=2 sw=2 et:

flush ruleset

table inet filter {
	chain input {
		type filter hook input priority filter; policy drop;

		iif lo counter accept comment "accept any localhost traffic"
		ct state { established, related } counter accept comment "accept established,related"
		ct state invalid counter drop comment "drop invalid"
		meta l4proto { icmp, ipv6-icmp } counter accept comment "accept ICMP"

		tcp dport ssh ct state new counter accept comment "accept new SSH connections"

		counter comment "count any other dropped traffic"
	}

	chain output {
		type filter hook output priority filter; policy drop;

		oif lo counter accept comment "accept any localhost traffic"
		ct state { established, related } counter accept comment "accept established,related"
		ct state invalid counter drop comment "drop invalid"
		meta l4proto { icmp, ipv6-icmp } counter accept comment "accept ICMP"

		udp dport https ct state new counter reject comment "reject new HTTP/3 connections"
		ct state new counter accept comment "accept new outbound connections"

		counter comment "count any other dropped traffic"
	}

	chain forward {
		type filter hook forward priority filter; policy drop;

		# Drop everything forwarded to us. This device is not a router and does not forward.

		counter comment "count dropped traffic"
	}
}