#!/usr/sbin/nft -f

{% import 'firewall/nftables-defines.j2' as group_tmpl %}

{% if cleanup_commands is vyos_defined %}
{%     for command in cleanup_commands %}
{{ command }}
{%     endfor %}
{% endif %}

table ip mangle {
{% if first_install is vyos_defined %}
    chain VYOS_PBR_PREROUTING {
        type filter hook prerouting priority -150; policy accept;
    }
    chain VYOS_PBR_POSTROUTING {
        type filter hook postrouting priority -150; policy accept;
    }
{% endif %}
{% if route is vyos_defined %}
{%     for route_text, conf in route.items() %}
    chain VYOS_PBR_{{ route_text }} {
{%         if conf.rule is vyos_defined %}
{%             for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
        {{ rule_conf | nft_rule(route_text, rule_id, 'ip') }}
{%             endfor %}
{%         endif %}
        {{ conf | nft_default_rule(route_text) }}
    }
{%     endfor %}
{% endif %}

{{ group_tmpl.groups(firewall_group, False) }}
}

table ip6 mangle {
{% if first_install is vyos_defined %}
    chain VYOS_PBR6_PREROUTING {
        type filter hook prerouting priority -150; policy accept;
    }
    chain VYOS_PBR6_POSTROUTING {
        type filter hook postrouting priority -150; policy accept;
    }
{% endif %}
{% if route6 is vyos_defined %}
{%     for route_text, conf in route6.items() %}
    chain VYOS_PBR6_{{ route_text }} {
{%         if conf.rule is vyos_defined %}
{%             for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
        {{ rule_conf | nft_rule(route_text, rule_id, 'ip6') }}
{%             endfor %}
{%         endif %}
        {{ conf | nft_default_rule(route_text) }}
    }
{%     endfor %}
{% endif %}
{{ group_tmpl.groups(firewall_group, True) }}
}