#!/usr/sbin/nft -f
# nftables configuration for Gentoo workstation
# Security-focused firewall with Docker support

# Flush existing ruleset
flush ruleset

# Define variables
define lan_interface = "wlp194s0"
define nas_ip = 192.168.2.171
define ssh_port = 22

table inet filter {
  # Rate limiting for connection attempts
  set ratelimit_ssh {
    type ipv4_addr
    flags timeout
    timeout 5m
  }

  set blocklist {
    type ipv4_addr
    flags timeout
    timeout 1h
  }

  chain input {
    type filter hook input priority filter; policy drop;

    # Allow established and related connections
    ct state established,related accept

    # Allow loopback
    iif "lo" accept

    # Drop invalid packets
    ct state invalid drop

    # Allow ICMP (ping) with rate limiting
    ip protocol icmp icmp type {
      echo-request,
      destination-unreachable,
      time-exceeded
    } limit rate 5/second accept

    # Allow ICMPv6 (if needed in future)
    ip6 nexthdr icmpv6 icmpv6 type {
      echo-request,
      destination-unreachable,
      packet-too-big,
      time-exceeded,
      parameter-problem,
      nd-router-advert,
      nd-neighbor-solicit,
      nd-neighbor-advert
    } limit rate 5/second accept

    # Allow SSH from LAN only with rate limiting
    ip saddr @blocklist drop
    tcp dport $ssh_port ip saddr @ratelimit_ssh drop
    tcp dport $ssh_port ct state new \
      add @ratelimit_ssh { ip saddr limit rate 3/minute } accept

    # Allow mDNS for local network discovery
    udp dport 5353 ip daddr 224.0.0.251 accept
    udp dport 5353 ip6 daddr ff02::fb accept

    # Allow DHCPv6 client
    udp sport 546 udp dport 547 accept

    # Log dropped packets (optional - comment out if too noisy)
    # limit rate 5/minute log prefix "nftables-drop: "

    # Drop everything else
    drop
  }

  chain forward {
    type filter hook forward priority filter; policy drop;

    # Allow established and related connections
    ct state established,related accept

    # Drop invalid packets
    ct state invalid drop

    # Docker containers (if needed)
    # Uncomment if using Docker bridge networking
    # iifname "docker0" accept
    # oifname "docker0" accept

    # Drop everything else
    drop
  }

  chain output {
    type filter hook output priority filter; policy accept;

    # Allow all outgoing by default (workstation)
    accept
  }
}

# Separate table for NAT (if needed for Docker)
table ip nat {
  chain postrouting {
    type nat hook postrouting priority srcnat; policy accept;

    # Docker NAT (uncomment if using Docker)
    # oifname $lan_interface masquerade
  }
}