define icmp_protos = { ipv6-icmp, icmp, igmp }

table arp filter {
  limit lim_arp_local {
    rate over 50 mbytes/second burst 50 mbytes
  }
  limit lim_arp_dsl {
    rate over 1400 kbytes/second burst 1400 kbytes
  }

  chain input {
    type filter hook input priority filter
    policy accept

    iifname != dsl limit name lim_arp_local counter drop
    iifname dsl limit name lim_arp_dsl counter drop

    counter
  }

  chain output {
    type filter hook output priority filter
    policy accept

    oifname != dsl limit name lim_arp_local counter drop
    oifname dsl limit name lim_arp_dsl counter drop

    counter
  }
}

table inet filter {
  limit lim_reject {
    rate over 1000/second burst 1000 packets
  }

  limit lim_icmp_local {
    rate over 50 mbytes/second burst 50 mbytes
  }
  limit lim_icmp_dsl {
    rate over 1400 kbytes/second burst 1400 kbytes
  }


  chain forward_icmp_accept {
    oifname dsl limit name lim_icmp_dsl counter drop
    iifname dsl limit name lim_icmp_dsl counter drop
    oifname != dsl limit name lim_icmp_local counter drop
    iifname != dsl limit name lim_icmp_local counter drop
    counter accept
  }
  chain forward {
    type filter hook forward priority filter
    policy drop


    ct state invalid log prefix "drop invalid forward: " counter drop


    iifname lo counter accept

    oifname {lan, dsl} meta l4proto $icmp_protos jump forward_icmp_accept

    iifname lan oifname dsl counter accept
    iifname dsl oifname lan ct state {established, related} counter accept



    limit name lim_reject log prefix "drop forward: " counter drop
    log prefix "reject forward: " counter
    meta l4proto tcp ct state new counter reject with tcp reset
    ct state new counter reject


    counter
  }

  chain input {
    type filter hook input priority filter
    policy drop


    ct state invalid log prefix "drop invalid input: " counter drop
    

    iifname lo counter accept
    iif != lo ip daddr 127.0.0.1/8 counter reject
    iif != lo ip6 daddr ::1/128 counter reject

    iifname dsl meta l4proto $icmp_protos limit name lim_icmp_dsl counter drop
    iifname != dsl meta l4proto $icmp_protos limit name lim_icmp_local counter drop
    meta l4proto $icmp_protos counter accept

    tcp dport 22 counter accept
    udp dport 60001-61000 counter accept

    iifname lan tcp dport 53 counter accept
    iifname lan udp dport 53 counter accept

    meta protocol ip udp dport 51820 counter accept
    meta protocol ip6 udp dport 51821 counter accept
    iifname "yggdrasil-wg-*" meta l4proto gre counter accept

    iifname dsl meta protocol ip6 udp dport 546 udp sport 547 counter accept

    iifname mgmt udp dport 123 counter accept

    iifname {lan, mgmt} udp dport 67 counter accept

    iifname lan udp dport { 137, 138, 3702 } counter accept
    iifname lan tcp dport { 445, 139, 5357 } counter accept

    ct state {established, related} counter accept


    limit name lim_reject log prefix "drop input: " counter drop
    log prefix "reject input: " counter
    meta l4proto tcp ct state new counter reject with tcp reset
    ct state new counter reject


    counter
  }

  chain output {
    type filter hook output priority filter
    policy accept


    oifname lo counter accept

    oifname dsl meta l4proto $icmp_protos limit name lim_icmp_dsl counter drop
    oifname != dsl meta l4proto $icmp_protos limit name lim_icmp_local counter drop
    meta l4proto $icmp_protos counter accept


    counter
  }
}

table ip nat {
  chain postrouting {
    type nat hook postrouting priority srcnat
    policy accept


    oifname dsl counter masquerade
  }
}

table ip mss_clamp {
  chain postrouting {
    type filter hook postrouting priority mangle
    policy accept


    oifname dsl tcp flags & (syn|rst) == syn counter tcp option maxseg size set rt mtu
  }
}