define icmp_protos = {ipv6-icmp, icmp, igmp}

table arp filter {
  limit lim_arp {
    rate over 50 mbytes/second burst 50 mbytes
  }

  counter arp-rx {}
  counter arp-tx {}

  counter arp-ratelimit-rx {}
  counter arp-ratelimit-tx {}

  chain input {
    type filter hook input priority filter
    policy accept

    limit name lim_arp counter name arp-ratelimit-rx drop

    counter name arp-rx
  }

  chain output {
    type filter hook output priority filter
    policy accept

    limit name lim_arp counter name arp-ratelimit-tx drop

    counter name arp-tx
  }
}

table inet filter {
  limit lim_reject {
    rate over 1000/second burst 1000 packets
  }

  limit lim_icmp {
    rate over 50 mbytes/second burst 50 mbytes
  }

  counter invalid-fw {}
  counter fw-lo {}
  counter fw-bifrost {}
  counter fw-inet {}

  counter icmp-ratelimit-vpn-fw {}
  counter icmp-ratelimit-established-fw {}
  counter icmp-ratelimit-inet-fw {}

  counter icmp-vpn-fw {}
  counter icmp-established-fw {}
  counter icmp-inet-fw {}

  counter reject-ratelimit-fw {}
  counter reject-fw {}
  counter reject-tcp-fw {}
  counter reject-icmp-fw {}

  counter drop-fw {}

  counter invalid-rx {}

  counter rx-lo {}
  counter invalid-local4-rx {}
  counter invalid-local6-rx {}

  counter icmp-ratelimit-rx {}
  counter icmp-rx {}

  counter ssh-rx {}
  counter mosh-rx {}

  counter wg-rx {}
  counter yggdrasil-gre-rx {}

  counter dns-rx {}
  counter http-rx {}
  counter stun-rx {}
  counter turn-rx {}
  counter smtp-rx {}
  counter submissions-rx {}
  counter imaps-rx {}
  counter managesieve-rx {}
  counter pgbackrest-rx {}

  counter established-rx {}

  counter reject-ratelimit-rx {}
  counter reject-rx {}
  counter reject-tcp-rx {}
  counter reject-icmp-rx {}

  counter drop-rx {}

  counter tx-lo {}

  counter icmp-ratelimit-tx {}
  counter icmp-tx {}

  counter ssh-tx {}
  counter mosh-tx {}
  counter dns-tx {}
  counter wg-tx {}
  counter yggdrasil-gre-tx {}
  counter http-tx {}
  counter stun-tx {}
  counter turn-tx {}
  counter smtp-tx {}
  counter submissions-tx {}
  counter imaps-tx {}
  counter managesieve-tx {}
  counter pgbackrest-tx {}

  counter tx {}

  chain forward {
    type filter hook forward priority filter
    policy drop


    ct state invalid log level debug prefix "drop invalid forward: " counter name invalid-fw drop


    iifname lo counter name fw-lo accept

    meta l4proto $icmp_protos iifname {yggdrasil, bifrost} oifname {bifrost, ens3} limit name lim_icmp counter name icmp-ratelimit-vpn-fw drop
    meta l4proto $icmp_protos iifname {yggdrasil, bifrost} oifname {bifrost, ens3} counter name icmp-vpn-fw accept
    meta l4proto $icmp_protos ct state {established, related} limit name lim_icmp counter name icmp-ratelimit-established-fw drop
    meta l4proto $icmp_protos ct state {established, related} counter name icmp-established-fw accept
    meta l4proto $icmp_protos oifname bifrost limit name lim_icmp counter name icmp-ratelimit-inet-fw drop
    meta l4proto $icmp_protos oifname bifrost counter name icmp-inet-fw accept


    oifname bifrost counter name fw-bifrost accept
    iifname bifrost oifname ens3 counter name fw-inet accept


    limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop
    log level debug prefix "reject forward: " counter name reject-fw
    meta l4proto tcp ct state new counter name reject-tcp-fw reject with tcp reset
    ct state new counter name reject-icmp-fw reject


    counter name drop-fw
  }

  chain input {
    type filter hook input priority filter
    policy drop


    ct state invalid log level debug prefix "drop invalid input: " counter name invalid-rx drop


    iifname lo counter name rx-lo accept
    iif != lo ip daddr 127.0.0.1/8 counter name invalid-local4-rx reject
    iif != lo ip6 daddr ::1/128 counter name invalid-local6-rx reject

    meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-rx drop
    meta l4proto $icmp_protos counter name icmp-rx accept

    tcp dport 22 counter name ssh-rx accept
    udp dport 60000-61000 counter name mosh-rx accept

    meta protocol ip udp dport 51820 counter name wg-rx accept
    meta protocol ip6 udp dport {51821, 51822} counter name wg-rx accept
    iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-rx accept

    tcp dport 53 counter name dns-rx accept
    udp dport 53 counter name dns-rx accept

    tcp dport {80, 443, 8448} counter name http-rx accept
    udp dport {443, 8448} counter name http-rx accept

    tcp dport {3478, 5349} counter name stun-rx accept
    udp dport {3478, 5349} counter name stun-rx accept
    udp dport 49000-50000 counter name turn-rx accept

    tcp dport 25 counter name smtp-rx accept
    tcp dport 465 counter name submissions-rx accept
    tcp dport 993 counter name imaps-rx accept
    tcp dport 4190 counter name managesieve-rx accept
    iifname yggdrasil tcp dport 8432 counter name pgbackrest-rx accept

    ct state {established, related} counter name established-rx accept


    limit name lim_reject log level debug prefix "drop input: " counter name reject-ratelimit-rx drop
    log level debug prefix "reject input: " counter name reject-rx
    meta l4proto tcp ct state new counter name reject-tcp-rx reject with tcp reset
    ct state new counter name reject-icmp-rx reject


    counter name drop-rx
  }

  chain output {
    type filter hook output priority filter
    policy accept


    oifname lo counter name tx-lo accept

    meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-tx drop
    meta l4proto $icmp_protos counter name icmp-tx accept


    tcp sport 22 counter name ssh-tx
    udp sport 60000-61000 counter name mosh-tx

    tcp sport 53 counter name dns-tx
    udp sport 53 counter name dns-tx

    meta protocol ip udp sport 51820 counter name wg-tx
    meta protocol ip6 udp sport {51821, 51822} counter name wg-tx
    iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-tx

    tcp sport {80, 443, 8448} counter name http-tx accept
    udp sport {443, 8448} counter name http-tx accept

    tcp sport {3478, 5349} counter name stun-tx accept
    udp sport {3478, 5349} counter name stun-tx accept
    udp sport 49000-50000 counter name turn-tx accept

    tcp sport 25 counter name smtp-tx accept
    tcp sport 465 counter name submissions-tx accept
    tcp sport 993 counter name imaps-tx accept
    tcp sport 4190 counter name managesieve-tx accept
    tcp sport 8432 counter name pgbackrest-tx accept


    counter name tx
  }
}