#!/usr/sbin/nft -f # Ansible managed — do not edit by hand. Source: roles/base (ADR-020). flush ruleset table inet filter { chain input { type filter hook input priority 0; policy drop; iifname "lo" accept ct state established,related accept ct state invalid drop iifname "{{ base__firewall_mgmt_interface }}" tcp dport {{ base__firewall_ssh_port }} accept {% if base__firewall_control_addr %} ip saddr {{ base__firewall_control_addr }} tcp dport {{ base__firewall_ssh_port }} accept {% endif %} ip protocol icmp accept ip6 nexthdr ipv6-icmp accept {% for r in base__firewall_resolved %} ip saddr { {{ r.sources | join(', ') }} } {{ r.proto }} dport {{ r.port }} accept {% endfor %} } chain forward { type filter hook forward priority 0; policy drop; } chain output { type filter hook output priority 0; policy accept; } } include "{{ base__firewall_dropin_dir }}/*.nft"