#!/usr/sbin/nft -f

{% import 'firewall/nftables-defines.j2' as group_tmpl %}

{% set nft_ct_ignore_name = 'VYOS_CT_IGNORE' %}
{% set nft_ct_timeout_name = 'VYOS_CT_TIMEOUT' %}

# we first flush all chains and render the content from scratch - this makes
# any delta check obsolete
flush chain raw {{ nft_ct_ignore_name }}
flush chain raw {{ nft_ct_timeout_name }}

table raw {
    chain {{ nft_ct_ignore_name }} {
{% if ignore.ipv4.rule is vyos_defined %}
{%     for rule, rule_config in ignore.ipv4.rule.items() %}
        # rule-{{ rule }} {{ '- ' ~ rule_config.description if rule_config.description is vyos_defined }}
       {{ rule_config | conntrack_ignore_rule(rule, ipv6=False) }}
{%     endfor %}
{% endif %}
        return
    }
    chain {{ nft_ct_timeout_name }} {
{% if timeout.custom.rule is vyos_defined %}
{%     for rule, rule_config in timeout.custom.rule.items() %}
        # rule-{{ rule }} {{ '- ' ~ rule_config.description if rule_config.description is vyos_defined }}
{%     endfor %}
{% endif %}
        return
    }

{{ group_tmpl.groups(firewall_group, False) }}
}

flush chain ip6 raw {{ nft_ct_ignore_name }}
flush chain ip6 raw {{ nft_ct_timeout_name }}

table ip6 raw {
    chain {{ nft_ct_ignore_name }} {
{% if ignore.ipv6.rule is vyos_defined %}
{%     for rule, rule_config in ignore.ipv6.rule.items() %}
        # rule-{{ rule }} {{ '- ' ~ rule_config.description if rule_config.description is vyos_defined }}
       {{ rule_config | conntrack_ignore_rule(rule, ipv6=True) }}
{%     endfor %}
{% endif %}
        return
    }
    chain {{ nft_ct_timeout_name }} {
{% if timeout.custom.rule is vyos_defined %}
{%     for rule, rule_config in timeout.custom.rule.items() %}
        # rule-{{ rule }} {{ '- ' ~ rule_config.description if rule_config.description is vyos_defined }}
{%     endfor %}
{% endif %}
        return
    }

{{ group_tmpl.groups(firewall_group, True) }}
}