define icmp_protos = {ipv6-icmp, icmp, igmp}

table arp filter {
  limit lim_arp {
    rate over 50 mbytes/second burst 50 mbytes
  }

  chain input {
    type filter hook input priority filter
    policy accept

    limit name lim_arp counter drop

    counter
  }

  chain output {
    type filter hook output priority filter
    policy accept

    limit name lim_arp counter drop

    counter
  }
}

table inet filter {
  limit lim_reject {
    rate over 1000/second burst 1000 packets
  }

  limit lim_icmp {
    rate over 50 mbytes/second burst 50 mbytes
  }


  chain forward {
    type filter hook forward priority filter
    policy drop


    ct state invalid log level debug prefix "drop invalid forward: " counter drop


    iifname lo counter accept

    meta l4proto $icmp_protos iifname {yggdrasil, bifrost} oifname {bifrost, ens3} limit name lim_icmp counter drop
    meta l4proto $icmp_protos iifname {yggdrasil, bifrost} oifname {bifrost, ens3} counter accept
    meta l4proto $icmp_protos ct state {established, related} limit name lim_icmp counter drop
    meta l4proto $icmp_protos ct state {established, related} counter accept
    meta l4proto $icmp_protos oifname bifrost limit name lim_icmp counter drop
    meta l4proto $icmp_protos oifname bifrost counter accept


    oifname bifrost counter accept
    iifname bifrost oifname ens3 counter accept


    limit name lim_reject log level debug prefix "drop forward: " counter drop
    log level debug prefix "reject forward: " counter
    meta l4proto tcp ct state new counter reject with tcp reset
    ct state new counter reject


    counter
  }

  chain input {
    type filter hook input priority filter
    policy drop


    ct state invalid log level debug prefix "drop invalid input: " counter drop
    

    iifname lo counter accept
    iif != lo ip daddr 127.0.0.1/8 counter reject
    iif != lo ip6 daddr ::1/128 counter reject

    meta l4proto $icmp_protos limit name lim_icmp counter drop
    meta l4proto $icmp_protos counter accept

    tcp dport 22 counter accept
    udp dport 60001-61000 counter accept

    meta protocol ip udp dport 51820 counter accept
    meta protocol ip6 udp dport {51821, 51822} counter accept
    iifname "yggdrasil-wg-*" meta l4proto gre counter accept

    tcp dport 53 counter accept
    udp dport 53 counter accept

    tcp dport {80, 443} counter accept

    ct state {established, related} counter accept


    limit name lim_reject log level debug prefix "drop input: " counter drop
    log level debug prefix "reject input: " counter
    meta l4proto tcp ct state new counter reject with tcp reset
    ct state new counter reject


    counter
  }

  chain output {
    type filter hook output priority filter
    policy accept


    oifname lo counter accept

    meta l4proto $icmp_protos limit name lim_icmp counter drop
    meta l4proto $icmp_protos counter accept


    counter
  }
}