# {{ansible_managed}}

#flush ruleset

define nic=xenbr0
define gstnic=guestbr0

table inet filter
flush table inet filter
table inet filter {
        chain input {
                type filter hook input priority filter; policy accept;

                # make it clear some default ssh ports are not available
                # just to avoid confusion
                iif $nic tcp dport 22 reject
                iif $nic tcp dport 2222 reject
                iif $nic tcp dport 2223 reject
        }

        # NAT --> accept
        chain forward {
                type filter hook forward priority filter; policy accept;
        }

        chain output {
                type filter hook output priority filter; policy accept;
        }
}

table ip nat
flush table ip nat
table ip nat {
        # DNAT
        chain prerouting {
                type nat hook prerouting priority dstnat;

                # nobudget instances
                iif $nic tcp dport 21 dnat 10.1.0.21:22;
                iif $nic tcp dport 23 dnat 10.1.0.23:22;
        }
        # SNAT
        chain postrouting {
                type nat hook postrouting priority srcnat;

                # guest network
                ip saddr 10.1.0.0/16 oif $nic snat {{ cidr | regex_replace('/\d+$','') }};
        }
}