table inet firewall {

	set whitelist_ipv4 {
		type ipv4_addr
		flags timeout
		timeout 1h
	}

	set whitelist_ipv6 {
		type ipv6_addr
		flags timeout
		timeout 1h
	}

	set retry_period_ipv4 {
		type ipv4_addr
		flags timeout
		timeout 2h
	}

	set retry_period_ipv6 {
		type ipv6_addr
		flags timeout
		timeout 2h
	}

	chain to_deco {
		accept
	}

	chain from_deco {
		# Accept all traffic because the filtering has been done before
		accept
	}

	chain dnat_deco{
		# Redirect all http traffic to the captive portal if the client is not in the whitelist
		ip  saddr != @whitelist_ipv4 ip  daddr != $ip_deco_web_whitelist  tcp dport {http, https} dnat ip  to $ip_deco_dnat
		ip6 saddr != @whitelist_ipv6 ip6 daddr != $ip6_deco_web_whitelist tcp dport {http, https} dnat ip6 to $ip6_deco_dnat
	}

	chain prefilter_deco{
		# When doing online paiment, the client must have access to several websites,
		# in order for 3D secure to load correctly.
		# This is why if the client hit the comnpay ip, we whitelist him for a short time

		# If we are whitelisted, allow internet access
		ip  saddr @whitelist_ipv4 accept
		ip6 saddr @whitelist_ipv6 accept

		# If we are not whitelisted but we have been some time ago, limited access
		ip  saddr @retry_period_ipv4 goto deco_limited
		ip6 saddr @retry_period_ipv6 goto deco_limited

		# If we are not whitelisted, nor we have been recently, and we try to contact comnpay, then whitelist us
		ip  daddr $ip_comnpay  goto deco_whitelist
		ip6 daddr $ip6_comnpay goto deco_whitelist

		# Else, only grant limited access
		ip  saddr @retry_period_ipv4 goto deco_limited
		ip6 saddr @retry_period_ipv6 goto deco_limited
	}

	chain deco_whitelist {
		add @whitelist_ipv4 { ip  saddr }
		add @whitelist_ipv6 { ip6 saddr }

		add @retry_period_ipv4 { ip  saddr }
		add @retry_period_ipv6 { ip6 saddr }

		goto deco_limited
	}

	chain deco_limited {
		# Accept HTTP & HTTPS
		ip  daddr $ip_deco_web_whitelist  tcp dport { http, https } accept
		ip6 daddr $ip6_deco_web_whitelist tcp dport { http, https } accept

		# Accept DNS
		ip  daddr $ip_deco_dns_whitelist  udp dport 53 accept
		ip6 daddr $ip6_deco_dns_whitelist tcp dport 53 accept

		# Reject instead of drop so the client knows faster that the trafic is blocked
		reject with icmpx type admin-prohibited	
	}

}