# {{ansible_managed}}

#flush ruleset

define nic=xenbr0
define gstnic=guestbr0

table inet filter
flush table inet filter
table inet filter {
        chain input {
                type filter hook input priority filter; policy accept;

                # make it clear some default remote shell ports are not available
                # just to avoid confusion
                iif $nic tcp dport 22 reject
                #iif $nic tcp dport 23 reject
		#iif $nic udp dport 541 reject with icmp type port-unreachable
		#iif $nic tcp dport 541 reject
                #iif $nic tcp dport 2222 reject
                #iif $nic tcp dport 2223 reject

		#iif $gstnic ip daddr != 10.1.255.254 reject
		#oif $gstnic ip saddr != 10.1.255.254 reject
        }

        # NAT --> accept
        chain forward {
                type filter hook forward priority filter; policy accept;
        }

        chain output {
                type filter hook output priority filter; policy accept;
        }
}

table ip nat
flush table ip nat
table ip nat {
        # DNAT
        chain prerouting {
                type nat hook prerouting priority dstnat;

                # nobudget instances on guestbr0
                iif $nic tcp dport 21 dnat 10.1.0.21:22;
                iif $nic tcp dport 23 dnat 10.1.0.23:22;

		# guests on guestbr0
                iif $nic tcp dport 1024 dnat 10.1.4.0:22;
                iif $nic tcp dport 1025 dnat 10.1.4.1:22;
                iif $nic tcp dport 1026 dnat 10.1.4.2:22;
                iif $nic tcp dport 1027 dnat 10.1.4.3:22;
        }
        # SNAT
        chain postrouting {
                type nat hook postrouting priority srcnat;

                # guest network
                ip saddr 10.1.0.0/16 oif $nic snat {{ cidr | regex_replace('/\d+$','') }};
        }
}