define WAN = wan0
define LAN = lan0
define VPN = wg-vpn

table inet filter {
	chain input {
		type filter hook input priority filter; policy accept;
		iifname "lo" accept
		ct state invalid drop
		ct state { established, related } accept
		icmpv6 type {echo-request,nd-neighbor-solicit,nd-neighbor-advert,nd-router-solicit,nd-router-advert,mld-listener-query,destination-unreachable,packet-too-big,time-exceeded,parameter-problem} accept
		ip protocol icmpv6 accept
		ip protocol icmp accept
		meta l4proto ipv6-icmp accept
		# do these need ipv6-specific entries, too?
		tcp dport { 64022, 10578, 51821, 51820, 22, 53, 67, 2201, 2221, 8448, 8008, 25565, 34197 } accept
		udp dport { 64020, 10578, 51821, 51820, 22, 53, 67, 2201, 2221, 25565, 34197 } accept
		udp dport { 60000-60009 } accept
		udp dport dhcpv6-client accept
		drop
	}

	chain forward {
		type filter hook forward priority filter; policy accept;
		accept
	}

	chain output {
		type filter hook output priority filter; policy accept;
		accept
	}
}

table ip nat {
	set masq_saddr {
		type ipv4_addr
		flags interval
		elements = { 192.168.0.0/16 }
	}

	map map_port_ipport {
		type inet_proto . inet_service : ipv4_addr . inet_service
	}

	chain prerouting {
		iifname $LAN accept
		type nat hook prerouting priority dstnat + 1; policy accept;
		fib daddr type local dnat ip addr . port to meta l4proto . th dport map @map_port_ipport

		# chromebox
		iifname $WAN tcp dport { 8008, 8448, 7777 } dnat to 192.168.0.5
		iifname $WAN udp dport { 7777 } dnat to 192.168.0.5
		iifname $WAN udp dport 60010-60019 dnat to 192.168.0.5

		# old dragon?
		# iifname $WAN tcp dport { 2221, 5588, 5589 } dnat to 192.168.0.10
		# iifname $WAN udp dport 60020-60029 dnat to 192.168.0.10

		iifname $WAN tcp dport { 10578, 5588, 5589 } dnat to 192.168.0.11
		iifname $WAN udp dport { 10578 } dnat to 192.168.0.11

		# dragon reinstall?
		iifname $WAN tcp dport { 2221, 5588, 5589 } dnat to 192.168.0.10
		iifname $WAN udp dport { 2221, 5588, 5589 } dnat to 192.168.0.10
		iifname $WAN udp dport 60020-60029 dnat to 192.168.0.10
		# iifname $WAN udp dport 9876-9877 dnat to 192.168.0.10 # valheim

		# beefcake (ben access)
		iifname $WAN tcp dport { 64022 } dnat to 192.168.0.9
		iifname $WAN udp dport { 64020 } dnat to 192.168.0.9

		# beefcake services
		iifname $WAN tcp dport { 443, 80, 22 } dnat to 192.168.0.9

		# mnemonic
		iifname $WAN tcp dport { 8022 } dnat to 192.168.0.248

		# ourcraft
		iifname $WAN tcp dport { 2456, 2457, 25565, 34197 } dnat to 192.168.0.244
		iifname $WAN udp dport { 2456, 2457, 25565, 34197 } dnat to 192.168.0.244

		# router
		iifname $WAN tcp dport { 2201 } dnat to 192.168.0.1
		iifname $WAN udp dport { 2201 } dnat to 192.168.0.1
	}

	chain output {
		type nat hook output priority -99; policy accept;
		ip daddr != 127.0.0.0/8 oif "lo" dnat ip addr . port to meta l4proto . th dport map @map_port_ipport
	}

	chain postrouting {
		type nat hook postrouting priority srcnat + 1; policy accept;
		oifname $LAN masquerade
		ip saddr @masq_saddr masquerade
	}
}

# table ip filter {
# 	chain output {
# 		type filter hook output priority 100; policy accept;
# 	}
# 
# 	chain input {
# 		type filter hook input priority 0; policy accept;
# 	}
# 
# 	chain forward {
# 		type filter hook forward priority 0; policy accept;
# 	}
# }
#