#!/usr/sbin/nft -f

flush ruleset

table inet filter {
    chain input {
        type filter hook input priority 0;
        policy drop;

        iif "lo" accept
        ct state established,related accept

        # SSH
        tcp dport {{ ssh_port }} accept

        # ICMP
        ip protocol icmp accept
        ip6 nexthdr icmpv6 accept

        # Proxmox Web/API (LAN only)
        ip saddr 192.168.0.0/24 tcp dport 8006 accept

        # NTP
        ip saddr 192.168.0.0/24 udp dport {{ ntp_port }} accept
    }

    chain forward {
        type filter hook forward priority 0;
        policy drop;
    }

    chain output {
        type filter hook output priority 0;
        policy accept;
    }
}