#!/usr/sbin/nft -I /etc/firewall/config -f

# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.

# Copyright © 2018-2019 Hugo Levy-Falk <hugo@klafyvel.me>
# Copyright © 2020-2021 Thomas Chevalier <contact@tchevalier.fr>

flush ruleset

include "interfaces.nft"
include "defines_ip.nft"
include "defines_ip6.nft"

include "ddos_mitigation.nft"

include "networks/users.nft"
include "networks/deco.nft"
include "networks/prod.nft"
include "networks/dmz.nft"
include "networks/switchs.nft"
include "networks/federez.nft"
include "networks/renater.nft"
include "networks/nerim.nft"
include "networks/dmz_wireguard.nft"

table inet firewall {

	chain prefilter {
		type filter hook prerouting priority -150

		meta iif vmap {
		    $if_deco: goto prefilter_deco,
		}
	}

	chain destination_nat {
		type nat hook prerouting priority -100

		meta iif vmap {
		    $if_deco: goto dnat_deco,
		    $if_nerim: goto dnat_nerim,
		}
	}
	

	chain forward {
		type filter hook forward priority 0
		policy drop

		ct state established,related accept
		ct state invalid drop
		meta iif lo accept

		# Notes from https://wiki.nftables.org/wiki-nftables/index.php/Matching_packet_metainformation
		# iif :
		# Faster than iifname as it only has to compare a 32-bit unsigned integer instead of a string.
		# The interface index is dynamically allocated, so don't use this for interfaces that are dynamically created and destroyed, eg. ppp0.

		# Convention: we check in the to_* chain that jumping from one VLAN to another is allowed.

		# Filters on input interfaces. The final decision is not taken in the from_* chain,
		# but instead packets return here for further processing. This is why `jump` is used here.
		meta iif vmap {
		    $if_users:         jump from_users,
		    $if_deco:          jump from_deco,
		    $if_prod:          jump from_prod,
		    $if_dmz:           jump from_dmz,
		    $if_switchs:       jump from_switchs,
		    $if_federez:       jump from_federez,
		    $if_renater:       jump from_renater,
		    $if_dmz_wireguard: jump from_dmz_wireguard,
		    $if_nerim:         jump from_nerim,
		}

		# Filters on output interfaces. Do not return: either drop or accept
		# We use goto so we don't return to the calling chain after packets have been processed
		meta oif vmap {
		    $if_users:         goto to_users,
		    $if_deco:          goto to_deco,
		    $if_prod:          goto to_prod,
		    $if_dmz:           goto to_dmz,
		    $if_switchs:       goto to_switchs,
		    $if_federez:       goto to_federez,
		    $if_renater:       goto to_renater,
		    $if_dmz_wireguard: goto to_dmz_wireguard,
		    $if_nerim:         jump from_nerim
		}

		# This counter should be zero if we correctlty filtered the connections
		counter log group 1 prefix "Uncaught traffic:"
	}

	chain source_nat {
		type nat hook postrouting priority 100
		meta oif vmap {
			$if_nerim: goto snat_nerim,
			$if_renater: goto snat_renater,
		}
	}

	chain output {
		type filter hook output priority 0
		policy accept
	}

	chain input {
		type filter hook input priority 0
		policy drop
		ct state established,related accept
		ct state invalid drop
		meta iif $admin_if accept
	}
}