nft-simple-fw/conf.def

# fw filter priority (filter = 0)
define HOOK_FILTER_PRIORITY = filter

# link-local / unique-local addresses
define NET_V6_LINK_LOCAL = fe80::/10
define NET_V6_UNIQUE_LOCAL = fc00::/7

# interface groups
define IIFGROUP_ETHERNET = 1
define IIFGROUP_VPN = 2

# private network sets
define SET_PRIVATE_NETS_V4 = {
	10.0.0.0/8,
	169.254.0.0/16,
	172.16.0.0/12,
	192.168.0.0/16
}

define SET_PRIVATE_NETS_V6 = {
	$NET_V6_LINK_LOCAL,
	$NET_V6_UNIQUE_LOCAL
}

define SET_ALLOW_ICMP_V4 = {
	echo-reply,
	destination-unreachable,
	source-quench,
	echo-request,
	router-advertisement,
	router-solicitation,
	time-exceeded
}

# types additional to the rfc4890 chain
# dummy values as a workaround for nftables < 0.9.7
# https://git.netfilter.org/nftables/commit/?id=9297f5b5301b76bb24513b114f905e6fac0a90cd
define SET_ALLOW_ICMP_V6 = {
	echo-request,
	echo-reply
}

# log format (log-{drop,reject} / log-{drop,reject}-nf)
# see log.nft for details
define CHAIN_LOG_DISPATCH_DROP = log-drop
define CHAIN_LOG_DISPATCH_REJECT = log-reject


# service definitions for easy access
## syncthing
define DPORT_TCP_SYNCTHING = 22000
define DPORT_UDP_SYNCTHING = 21027
## wireguard
define DPORT_TCP_WIREGUARD = 51820
## magic-wormhole
define DPORT_TCP_WORMHOLE = 4000-4001