table inet firewall {
	set port_forward_v6 {
		type inet_proto . ipv6_addr . inet_service
		elements = { tcp . 2600:1700:115f:300f::11:1 . 22000,
			     udp . 2600:1700:115f:300f::11:1 . 22000 }
	}

	set cloudflare_forward_v6 {
		type ipv6_addr
		elements = { 2600:1700:115f:300f::11:1 }
	}

	chain input {
		type filter hook input priority filter; policy drop;
		iifname "wan" ip6 saddr fe80::be24:11ff:fe83:d8de icmpv6 type nd-router-advert log prefix "self radvt: " drop
		ct state established,related accept
		ip6 nexthdr ipv6-icmp ip6 saddr { 2600:1700:115f:3000::/60, fe80::/10 } accept
		ip6 nexthdr ipv6-icmp ip6 daddr fe80::/10 accept
		iif "lo" accept
		ip6 daddr { fe80::/10, ff02::/16 } th dport { 546, 547 } accept
		tcp dport 22 accept
		udp dport 51944 accept
		iifname "wan" jump zone_wan_input
		iifname { "wg0", "lan", "lan.10", "lan.20", "lan.30", "lan.40", "lan.50" } jump zone_lan_input
		ip6 saddr { 2600:1700:115f:3000::/64, 2600:1700:115f:300d::/64 } jump zone_lan_input
	}

	chain forward {
		type filter hook forward priority filter; policy drop;
		ct state established,related accept
		iifname "wan" jump zone_wan_forward
		iifname { "wg0", "lan", "lan.10", "lan.20", "lan.30", "lan.40", "lan.50" } jump zone_lan_forward
		ip6 saddr { 2600:1700:115f:3000::/64, 2600:1700:115f:300d::/64 } jump zone_lan_forward
	}

	chain zone_wan_input {
	}

	chain zone_wan_forward {
		ct status dnat accept
		meta l4proto . ip6 daddr . th dport @port_forward_v6 accept
		ip6 saddr { 2400:cb00::/32, 2405:8100::/32, 2405:b500::/32, 2606:4700::/32, 2803:f800::/32, 2a06:98c0::/29, 2c0f:f248::/32 } ip6 daddr @cloudflare_forward_v6 th dport 443 accept
	}

	chain zone_lan_input {
		ip6 nexthdr ipv6-icmp accept
		ip protocol icmp accept
		tcp dport { 22, 443 } accept
		udp dport { 53, 67, 443, 547 } accept
	}

	chain zone_lan_forward {
		oifname "wan" ip6 saddr fd00::/8 drop
		oifname "wan" accept
		oifname { "wg0", "lan", "lan.10", "lan.20", "lan.30", "lan.40", "lan.50" } accept
	}

	chain output {
		type filter hook output priority filter; policy accept;
	}
}
table ip nat4 {
	map port_forward {
		type inet_proto . inet_service : ipv4_addr . inet_service
		elements = { udp . 35848 : 10.17.1.250 . 35848,
			     udp . 37138 : 10.17.10.31 . 37138,
			     udp . 40993 : 10.17.1.250 . 40993,
			     udp . 45608 : 10.17.1.250 . 45608,
			     udp . 48425 : 10.17.1.250 . 48425,
			     tcp . 8006 : 10.17.50.10 . 8006,
			     tcp . 38247 : 10.17.10.31 . 22,
			     udp . 48512 : 10.17.1.250 . 48512,
			     udp . 24454 : 10.17.1.11 . 24454,
			     udp . 18596 : 10.17.1.250 . 18596,
			     tcp . 25565 : 10.17.1.11 . 25565,
			     udp . 25565 : 10.17.1.11 . 25565 }
	}

	chain prerouting {
		type nat hook prerouting priority dstnat; policy accept;
		fib daddr type local dnat ip to meta l4proto . th dport map @port_forward
	}

	chain postrouting {
		type nat hook postrouting priority srcnat; policy accept;
		oifname "wan" ip saddr { 10.0.0.0/8, 172.0.0.0/12, 192.168.0.0/16 } masquerade
	}
}