configpolicy/roles/dch-gw/templates/port-forwards.nft.j2

{# vim: set sw=4 ts=4 sts=4 et : #}
include "/var/lib/dhcpcd/outside-address.ruleset"

table ip nat {
    set inside_networks {
        type ipv4_addr
        flags interval
        elements = {
{% for name, network in dch_networks|dictsort if network.ipv4_address is defined %}
            {{ network.ipv4_address }},
{% endfor %}
        }
    }

    map tcp_forward {
        type inet_service: ipv4_addr
        flags interval
        elements = {
{% for item in nat_port_forwards if item.protocol|d('tcp') == 'tcp' %}
            {{ item.port }}: {{ item.destination }},
{% endfor %}
        }
    }

    map udp_forward {
        type inet_service: ipv4_addr
        flags interval
        elements = {
{% for item in nat_port_forwards if item.protocol|d('tcp') == 'udp' %}
            {{ item.port }}: {{ item.destination }},
{% endfor %}
        }
    }

    chain prerouting {
        ip daddr $outside_address dnat tcp dport map @tcp_forward
        ip daddr $outside_address dnat udp dport map @udp_forward
    }

    chain postrouting {
{% for item in nat_port_forwards %}
        ip saddr @inside_networks ip daddr {{ item.destination }} {{ item.protocol|d('tcp') }} dport {{ item.port }} masquerade
{% endfor %}
    }
}

table inet filter {
    chain forward {
{% for item in nat_port_forwards %}
        ip daddr {{ item.destination }} {{ item.protocol|d('tcp') }} dport {{ item.port }} counter accept
{% endfor %}
    }
}