#!/usr/sbin/nft -f

define docker_v4 = 172.17.0.0/16
define docker_v6 = fcdd::/48

# start with a clean slate
flush ruleset

table inet filter {
  chain input {
    # default input policy is drop
    type filter hook input priority 50; policy drop;

    # accept any localhost traffic
    iif "lo" accept

    # accept any docker traffic
    ip saddr $docker_v4 accept
    ip6 saddr $docker_v6 accept

    # accept any icmp traffic
    ip protocol icmp accept
    ip6 nexthdr ipv6-icmp accept

    # accept any established connection traffic
    ct state established,related accept
  }

  chain forward {
    # default forward policy is drop
    type filter hook forward priority 50; policy drop;

    # accept any docker traffic going to the internet
    ip saddr $docker_v4 oif eth0 accept
    ip6 saddr $docker_v6 oif eth0 accept

    # accept any established connection traffic
    ct state established,related accept
  }

  chain output {
    # default output policy is accept
    type filter hook output priority 50; policy accept;
  }
}

table ip nat {
  chain prerouting {
    type nat hook prerouting priority 0;
  }

  chain postrouting {
    type nat hook postrouting priority 100;

    # apply source nat for docker traffic to the internet
    ip saddr $docker_v4 oif eth0 masquerade
  }
}

table ip6 nat {
  chain prerouting {
    type nat hook prerouting priority 0;
  }

  chain postrouting {
    type nat hook postrouting priority 100;

    # apply source nat for docker traffic to the internet
    ip6 saddr $docker_v6 oif eth0 masquerade
  }
}