#!/usr/bin/nft -f
# Laptop firewall: default-deny inbound, allow outbound.
# Scoped to `inet filter` so podman/netavark tables are preserved on reload.

destroy table inet filter

table inet filter {
    chain input {
        type filter hook input priority filter; policy drop;

        iif "lo" accept
        ct state vmap { established : accept, related : accept, invalid : drop }

        # IPv4 ICMP essentials
        ip protocol icmp icmp type {
            echo-request,
            destination-unreachable,
            time-exceeded,
            parameter-problem
        } accept

        # IPv6 ICMP: NDP, PMTUD, echo, MLD
        meta l4proto icmpv6 icmpv6 type {
            destination-unreachable,
            packet-too-big,
            time-exceeded,
            parameter-problem,
            echo-request,
            nd-router-solicit,
            nd-router-advert,
            nd-neighbor-solicit,
            nd-neighbor-advert,
            mld-listener-query,
            mld-listener-report,
            mld-listener-done,
            mld2-listener-report
        } accept

        # DHCPv6 client
        ip6 saddr fe80::/10 udp dport 546 accept
    }

    chain forward {
        type filter hook forward priority filter; policy drop;
    }

    chain output {
        type filter hook output priority filter; policy accept;
    }
}