interface wan     : WAN { dynamic; };
interface lan     : LAN { cidr4 = { 10.0.0.0/24 }; };

zone lan_zone = { lan };

let rfc1918 : Set<IPv4> = { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 };

let open_ports : Set<Port> = { :22 };

let forwards_v6 : Set<(Protocol, IPv6, Port)> = {
    (tcp, 2001:db8::1, :22000)
};

portforward wan_forwards
    on  wan
    via Map<(Protocol, Port), (IPv4, Port)> = {
        (tcp, :8080) -> (10.0.0.10, :80)
    };

masquerade wan_snat
    on  wan
    src rfc1918;

policy input : Frame hook Input = {
    | Frame(_, IPv4(_, TCP(tcp, _)))
        if tcp.dport in open_ports                          -> Allow;
    | Frame(_, IPv4(_, UDP(udp, _)))
        if udp.dport == :51944                              -> Allow;
    | _                                                     -> Drop;
};

policy forward : Frame hook Forward = {
    | Frame(iif in lan_zone -> wan, _)                      -> Allow;
    | Frame(wan -> iif in lan_zone, IPv6(ip6, TCP(th, _) | UDP(th, _)))
        if (ip6.protocol, ip6.dst, th.dport) in forwards_v6 -> Allow;
    | _                                                     -> Drop;
};