dch-gw: Initial commit

The *dch-gw* role, and the corresponding `dch-gw.yml` playbook, apply
all of the necessary configuration to the edge router on my home
network.

roles/dch-gw/templates/port-forwards.nft.j2

@@ -0,0 +1,45 @@
+{# vim: set sw=4 ts=4 sts=4 et : #}
+include "/var/lib/dhcpcd/outside-address.ruleset"
+
+table ip nat {
+    set inside_networks {
+        type ipv4_addr
+        flags interval
+        elements = {
+{% for name, network in dch_networks|dictsort if network.ipv4_address is defined %}
+            {{ network.ipv4_address }},
+{% endfor %}
+        }
+    }
+
+    map tcp_forward {
+        type inet_service: ipv4_addr
+        flags interval
+        elements = {
+{% for item in nat_port_forwards if item.protocol|d('tcp') == 'tcp' %}
+            {{ item.port }}: {{ item.destination }},
+{% endfor %}
+        }
+    }
+
+    map udp_forward {
+        type inet_service: ipv4_addr
+        flags interval
+        elements = {
+{% for item in nat_port_forwards if item.protocol|d('tcp') == 'udp' %}
+            {{ item.port }}: {{ item.destination }},
+{% endfor %}
+        }
+    }
+
+    chain prerouting {
+        ip daddr $outside_address dnat tcp dport map @tcp_forward
+        ip daddr $outside_address dnat udp dport map @udp_forward
+    }
+
+    chain postrouting {
+{% for item in nat_port_forwards %}
+        ip saddr @inside_networks ip daddr {{ item.destination }} {{ item.protocol|d('tcp') }} dport {{ item.port }} masquerade
+{% endfor %}
+    }
+}