#!/usr/sbin/nft -f

# Required by wanloadbalance
table ip nat {
    chain VYOS_PRE_SNAT_HOOK {
        type nat hook postrouting priority 99; policy accept;
        return
    }
}

table inet mangle {
    # Used by system flow-accounting
    chain FORWARD {
        type filter hook forward priority -150; policy accept;
    }
}

table raw {
    chain VYOS_TCP_MSS {
        type filter hook forward priority -300; policy accept;
    }

    chain vyos_global_rpfilter {
        return
    }

    chain vyos_rpfilter {
        type filter hook prerouting priority -300; policy accept;
        counter jump vyos_global_rpfilter
    }

    # Used by system flow-accounting
    chain VYOS_PREROUTING_HOOK {
        type filter hook prerouting priority -300; policy accept;
    }
}

table ip6 raw {
    chain VYOS_TCP_MSS {
        type filter hook forward priority -300; policy accept;
    }

    chain vyos_global_rpfilter {
        return
    }

    chain vyos_rpfilter {
        type filter hook prerouting priority -300; policy accept;
        counter jump vyos_global_rpfilter
    }

    # Used by system flow-accounting
    chain VYOS_PREROUTING_HOOK {
        type filter hook prerouting priority -300; policy accept;
    }
}

# Required by VRF
table inet vrf_zones {
    # Map of interfaces and connections tracking zones
    map ct_iface_map {
        typeof iifname : ct zone
    }
    # Assign unique zones for each VRF
    # Chain for inbound traffic
    chain vrf_zones_ct_in {
        type filter hook prerouting priority raw; policy accept;
    }
    # Chain for locally-generated traffic
    chain vrf_zones_ct_out {
        type filter hook output priority raw; policy accept;
    }
}