boma/roles/base/templates/nftables.conf.j2

#!/usr/sbin/nft -f
# Ansible managed — do not edit by hand. Source: roles/base (ADR-020).
flush ruleset

table inet filter {
  chain input {
    type filter hook input priority 0; policy drop;
    iifname "lo" accept
    ct state established,related accept
    ct state invalid drop
    iifname "{{ base__firewall_mgmt_interface }}" tcp dport {{ base__firewall_ssh_port }} accept
{% if base__firewall_control_addr %}
    ip saddr {{ base__firewall_control_addr }} tcp dport {{ base__firewall_ssh_port }} accept
{% endif %}
{% for addr in base__firewall_admin_addrs %}
    ip saddr {{ addr }} tcp dport {{ base__firewall_ssh_port }} accept
{% endfor %}
    ip protocol icmp accept
    ip6 nexthdr ipv6-icmp accept
{% for r in base__firewall_resolved %}
    ip saddr { {{ r.sources | join(', ') }} } {{ r.proto }} dport {{ r.port }} accept
{% endfor %}
  }
  chain forward { type filter hook forward priority 0; policy {{ 'accept' if base__firewall_input_only | bool else 'drop' }}; }
  chain output  { type filter hook output  priority 0; policy accept; }
}

include "{{ base__firewall_dropin_dir }}/*.nft"