#!/usr/sbin/nft -f # Ansible managed — do not edit by hand. Source: roles/base (ADR-020). flush ruleset table inet filter { chain input { type filter hook input priority 0; policy drop; iifname "lo" accept ct state established,related accept ct state invalid drop iifname "{{ base__firewall_mgmt_interface }}" tcp dport {{ base__firewall_ssh_port }} accept {% if base__firewall_control_addr %} ip saddr {{ base__firewall_control_addr }} tcp dport {{ base__firewall_ssh_port }} accept {% endif %} {% for addr in base__firewall_admin_addrs %} ip saddr {{ addr }} tcp dport {{ base__firewall_ssh_port }} accept {% endfor %} ip protocol icmp accept ip6 nexthdr ipv6-icmp accept {% for r in base__firewall_resolved %} ip saddr { {{ r.sources | join(', ') }} } {{ r.proto }} dport {{ r.port }} accept {% endfor %} } chain forward { type filter hook forward priority 0; policy {{ 'accept' if base__firewall_input_only | bool else 'drop' }}; } chain output { type filter hook output priority 0; policy accept; } } include "{{ base__firewall_dropin_dir }}/*.nft"