router: refactor firewall nftables config

hosts/router/firewall.nix

@@ -4,13 +4,7 @@ let
   links = vars.links;
   ifs = vars.ifs;
   pdFromWan = vars.pdFromWan;
-in
-{
-  networking.firewall.enable = false;
-  networking.nftables.enable = true;
-  networking.nftables.tables.firewall = {
-    family = "inet";
-    content = ''
+  nftIdentifiers = ''
     define ZONE_WAN_IFS = { ${ifs.wan.name} }
     define ZONE_LAN_IFS = {
         ${ifs.lan.name},
@@ -39,19 +33,67 @@ in
         2a06:98c0::/29,
         2c0f:f248::/32,
     }
-
-      define ALLOWED_TCP_PORTS = { ssh, https }
-      define ALLOWED_UDP_PORTS = { bootps, dhcpv6-server, domain }
-
-      map port_forward_v4 {
+  '';
+in
+{
+  networking.firewall.enable = false;
+  networking.nftables.enable = true;
+  # networking.nftables.ruleset = nftIdentifiers; #doesn't work because it's appended to the end
+  networking.nftables.tables.nat4 = {
+    family = "ip";
+    content = ''
+      ${nftIdentifiers}
+      map port_forward {
           type inet_proto . inet_service : ipv4_addr . inet_service
           elements = {
               tcp . 8006 : ${ifs.lan50.p4}.10 . 8006
           }
       }
+
+      chain prerouting {
+          # Initial step, accept by default
+          type nat hook prerouting priority dstnat; policy accept;
+
+          # Port forwarding
+          fib daddr type local dnat ip to meta l4proto . th dport map @port_forward
+      }
+
+      chain postrouting {
+          # Last step, accept by default
+          type nat hook postrouting priority srcnat; policy accept;
+
+          # Masquerade LAN addrs
+          oifname $ZONE_WAN_IFS ip saddr $RFC1918 masquerade
+      }
+    '';
+  };
+
+  # Optional IPv6 masquerading (big L if enabled, don't forget to allow forwarding)
+  networking.nftables.tables.nat6 = {
+    family = "ip6";
+    enable = false;
+    content = ''
+      ${nftIdentifiers}
+      chain postrouting {
+          type nat hook postrouting priority srcnat; policy accept;
+          oifname $ZONE_WAN_IFS ip6 saddr fd00::/8 masquerade
+      }
+    '';
+  };
+
+  networking.nftables.tables.firewall = {
+    family = "inet";
+    content = ''
+      ${nftIdentifiers}
+      define ALLOWED_TCP_PORTS = { ssh, https }
+      define ALLOWED_UDP_PORTS = { bootps, dhcpv6-server, domain }
       set port_forward_v6 {
           type inet_proto . ipv6_addr . inet_service
-          # elements = {}
+          elements = {
+              # syncthing on alpina
+              tcp . ${ifs.lan.p6}::11:1 . 22000 ,
+              udp . ${ifs.lan.p6}::11:1 . 22000 ,
+          }
       }
       set cloudflare_forward_v6 {
           type ipv6_addr
@@ -94,7 +136,7 @@ in
           # WAN zone input rules
           iifname $ZONE_WAN_IFS jump zone_wan_input
           # LAN zone input rules
-          iifname $ZONE_LAN_IFS accept
+          # iifname $ZONE_LAN_IFS accept
           iifname $ZONE_LAN_IFS jump zone_lan_input
           ip6 saddr $ZONE_LAN_EXTRA_NET6 jump zone_lan_input
 
@@ -160,25 +202,6 @@ in
           # NAT reflection
           # oif lo ip daddr != 127.0.0.0/8 dnat ip to meta l4proto . th dport map @port_forward_v4
       }
-
-      chain prerouting {
-          # Initial step, accept by default
-          type nat hook prerouting priority dstnat; policy accept;
-
-          # Port forwarding
-          fib daddr type local dnat ip to meta l4proto . th dport map @port_forward_v4
-      }
-
-      chain postrouting {
-          # Last step, accept by default
-          type nat hook postrouting priority srcnat; policy accept;
-
-          # Masquerade LAN addrs
-          oifname $ZONE_WAN_IFS ip saddr $RFC1918 masquerade
-
-          # Optional IPv6 masquerading (big L if enabled, don't forget to allow forwarding)
-          # oifname $ZONE_WAN_IFS ip6 saddr fd00::/8 masquerade
-      }
     '';
   };
 }