#!/usr/sbin/nft -f

{% if cleanup_commands is vyos_defined %}
{%     for command in cleanup_commands %}
{{ command }}
{%     endfor %}
{% endif %}

{% if zone is vyos_defined %}
table ip filter {
{%     for zone_name, zone_conf in zone.items() if zone_conf.ipv4 %}
{%         if zone_conf.local_zone is vyos_defined %}
    chain VZONE_{{ zone_name }}_IN {
        iifname lo counter return
{%             for from_zone, from_conf in zone_conf.from.items() if from_conf.firewall.name is vyos_defined %}
        iifname { {{ zone[from_zone].interface | join(",") }} } counter jump NAME_{{ from_conf.firewall.name }}
        iifname { {{ zone[from_zone].interface | join(",") }} } counter return
{%             endfor %}
        {{ zone_conf | nft_default_rule('zone_' + zone_name) }}
    }
    chain VZONE_{{ zone_name }}_OUT {
        oifname lo counter return
{%             for from_zone, from_conf in zone_conf.from_local.items() if from_conf.firewall.name is vyos_defined %}
        oifname { {{ zone[from_zone].interface | join(",") }} } counter jump NAME_{{ from_conf.firewall.name }}
        oifname { {{ zone[from_zone].interface | join(",") }} } counter return
{%             endfor %}
        {{ zone_conf | nft_default_rule('zone_' + zone_name) }}
    }
{%         else %}
    chain VZONE_{{ zone_name }} {
        iifname { {{ zone_conf.interface | join(",") }} } counter {{ zone_conf | nft_intra_zone_action(ipv6=False) }}
{%             if zone_conf.intra_zone_filtering is vyos_defined %}
        iifname { {{ zone_conf.interface | join(",") }} } counter return
{%             endif %}
{%             for from_zone, from_conf in zone_conf.from.items() if from_conf.firewall.name is vyos_defined %}
{%                 if zone[from_zone].local_zone is not defined %}
        iifname { {{ zone[from_zone].interface | join(",") }} } counter jump NAME_{{ from_conf.firewall.name }}
        iifname { {{ zone[from_zone].interface | join(",") }} } counter return
{%                 endif %}
{%             endfor %}
        {{ zone_conf | nft_default_rule('zone_' + zone_name) }}
    }
{%         endif %}
{%     endfor %}
}

table ip6 filter {
{%     for zone_name, zone_conf in zone.items() if zone_conf.ipv6 %}
{%         if zone_conf.local_zone is vyos_defined %}
    chain VZONE6_{{ zone_name }}_IN {
        iifname lo counter return
{%             for from_zone, from_conf in zone_conf.from.items() if from_conf.firewall.ipv6_name is vyos_defined %}
        iifname { {{ zone[from_zone].interface | join(",") }} } counter jump NAME6_{{ from_conf.firewall.ipv6_name }}
        iifname { {{ zone[from_zone].interface | join(",") }} } counter return
{%             endfor %}
        {{ zone_conf | nft_default_rule('zone6_' + zone_name) }}
    }
    chain VZONE6_{{ zone_name }}_OUT {
        oifname lo counter return
{%             for from_zone, from_conf in zone_conf.from_local.items() if from_conf.firewall.ipv6_name is vyos_defined %}
        oifname { {{ zone[from_zone].interface | join(",") }} } counter jump NAME6_{{ from_conf.firewall.ipv6_name }}
        oifname { {{ zone[from_zone].interface | join(",") }} } counter return
{%             endfor %}
        {{ zone_conf | nft_default_rule('zone6_' + zone_name) }}
    }
{%         else %}
    chain VZONE6_{{ zone_name }} {
        iifname { {{ zone_conf.interface | join(",") }} } counter {{ zone_conf | nft_intra_zone_action(ipv6=True) }}
{%             if zone_conf.intra_zone_filtering is vyos_defined %}
        iifname { {{ zone_conf.interface | join(",") }} } counter return
{%             endif %}
{%             for from_zone, from_conf in zone_conf.from.items() if from_conf.firewall.ipv6_name is vyos_defined %}
{%                 if zone[from_zone].local_zone is not defined %}
        iifname { {{ zone[from_zone].interface | join(",") }} } counter jump NAME6_{{ from_conf.firewall.ipv6_name }}
        iifname { {{ zone[from_zone].interface | join(",") }} } counter return
{%                 endif %}
{%             endfor %}
        {{ zone_conf | nft_default_rule('zone6_' + zone_name) }}
    }
{%         endif %}
{%     endfor %}
}

{%     for zone_name, zone_conf in zone.items() %}
{%         if zone_conf.ipv4 %}
{%             if 'local_zone' in zone_conf %}
insert rule ip filter VYOS_FW_LOCAL counter jump VZONE_{{ zone_name }}_IN
insert rule ip filter VYOS_FW_OUTPUT counter jump VZONE_{{ zone_name }}_OUT
{%             else %}
insert rule ip filter VYOS_FW_FORWARD oifname { {{ zone_conf.interface | join(',') }} } counter jump VZONE_{{ zone_name }}
{%             endif %}
{%         endif %}
{%         if zone_conf.ipv6 %}
{%             if 'local_zone' in zone_conf %}
insert rule ip6 filter VYOS_FW6_LOCAL counter jump VZONE6_{{ zone_name }}_IN
insert rule ip6 filter VYOS_FW6_OUTPUT counter jump VZONE6_{{ zone_name }}_OUT
{%             else %}
insert rule ip6 filter VYOS_FW6_FORWARD oifname { {{ zone_conf.interface | join(',') }} } counter jump VZONE6_{{ zone_name }}
{%             endif %}
{%         endif %}
{%     endfor %}

{# Ensure that state-policy rule is first in the chain #}
{%     if firewall.state_policy is vyos_defined %}
{%         for chain in ['VYOS_FW_FORWARD', 'VYOS_FW_OUTPUT', 'VYOS_FW_LOCAL'] %}
insert rule ip filter {{ chain }} jump VYOS_STATE_POLICY
{%         endfor %}
{%         for chain in ['VYOS_FW6_FORWARD', 'VYOS_FW6_OUTPUT', 'VYOS_FW6_LOCAL'] %}
insert rule ip6 filter {{ chain }} jump VYOS_STATE_POLICY6
{%         endfor %}
{%     endif %}

{% endif %}