#!/usr/sbin/nft -f

flush ruleset

table inet raw {
    chain PREROUTING-stateless {
        # XXX can't add that to the ingress hook as that happens before IP defragmentation
        # so we don't have the TCP header in later fragments (we don't want to drop IP
        # fragments, see https://blog.cloudflare.com/ip-fragmentation-is-broken/ )
        type filter hook prerouting priority -399 # > NF_IP_PRI_CONNTRACK_DEFRAG (-400)
        policy accept

        # stateless filter for bogus TCP packets
        tcp flags & (fin|syn|rst|psh|ack|urg) == 0x0 counter drop # null packet
        tcp flags & (fin|psh|urg) == fin|psh|urg     counter drop # XMAS packet
        tcp flags & (syn|rst) == syn|rst             counter drop
        tcp flags & (fin|rst) == fin|rst             counter drop
        tcp flags & (fin|syn) == fin|syn             counter drop
        tcp flags & (fin|psh|ack) == fin|psh         counter drop
    }

    chain PREROUTING {
        type filter hook prerouting priority -199 # > NF_IP_PRI_CONNTRACK (-200)
        policy accept

        # stateful filter
        ct state invalid counter drop
    }
}

table inet filter {
    chain input {
        type filter hook input priority 0
        policy drop

        iif lo accept

        ct state related,established accept
        meta l4proto { icmp, icmpv6 } counter accept

        tcp dport 22        ct state new counter accept
        tcp dport {80, 443} ct state new counter accept
    }

    chain output {
        type filter hook output priority 0
        policy drop

        oif lo accept
        ct state related,established accept
        meta l4proto { icmp, icmpv6 } counter accept

        ct state new counter accept

        # graceful reject
        meta l4proto tcp counter reject with tcp reset
        meta l4proto udp counter reject
        counter reject
    }
}