#!/usr/sbin/nft -f

flush ruleset

# don't use inet instead of ip&ip6,
# because Docker doesn't support it, yet
# see https://maximilianehlers.com/blog/nftables-and-docker/ for more details

table ip filter {
    chain INPUT {
        type filter hook input priority 0;
        policy drop;


        # allow already established connections (e.g. initiated by this host)
        ct state related,established accept

        # allow ICMP
        ip protocol icmp accept

        # allow anything on localhost
        iifname "lo" accept

        # allow SSH for remote management
        tcp dport 22 accept


        ## docker

        # cluster management communications
        tcp dport 2377 accept

        # communication among nodes
        tcp dport 7946 accept
        udp dport 7946 accept

        # overlay network traffic
        udp dport 4789 accept
    }
    chain FORWARD {
        type filter hook forward priority 0;
        policy drop;
    }
    chain OUTPUT {
        type filter hook output priority 0;
        policy accept;
    }
}
table ip6 filter {
    chain INPUT {
        type filter hook input priority 0;
        policy drop;


        # allow already established connections (e.g. initiated by this host)
        ct state related,established accept

        # allow ICMPv6
        ip6 nexthdr icmpv6 accept

        # allow anything on localhost
        iifname "lo" accept
    }
    chain FORWARD {
        type filter hook forward priority 0;
        policy drop;
    }
    chain OUTPUT {
        type filter hook output priority 0;
        policy accept;
    }
}