# {{ansible_managed}}

define nic = xenbr0
define guests = guestbr0

flush ruleset

table ip stateless-dnat {
        chain diy-dnat {
                type filter hook prerouting priority -300;
                iif $nic tcp dport 80 meta mark set 0x0{{node_id}} ip daddr set {{guest_prefix}}.0.201
        }
        chain dunnat-spoof {
                type filter hook postrouting priority 90;

                # spoof ourselves or the other node while d-un-natting
{% for node_id in node_ids %}
                oif $nic ip saddr {{guest_network}} ct mark == 0x0{{node_id}} ip saddr set {{dirty_pub_prefix}}{{node_id}}
{% endfor %}
        }
}

table netdev guest-cluster {
        chain convergent-inbound {
                type filter hook ingress devices = { eth1 } priority -500;

                # nodes - eth1 bitmask wildcards
		# todo - scale horizontaly with hex
                ether saddr & ff:ff:ff:00:00:00 == 0a:00:00:00:00:00 meta mark set 0x01
                ether saddr & ff:ff:ff:00:00:00 == 0e:00:00:00:00:00 meta mark set 0x02
        }
        chain convergent-outbound {
                type filter hook egress devices = { eth1 } priority -500;
                arp saddr ip 10.1.255.254 drop
                arp daddr ip 10.1.255.254 drop
        }
}

# requires br_netfilter module to be loaded
table ip bridge-state {
        chain to-guest {
                type filter hook postrouting priority 0;
                oif $guests ip daddr {{guest_network}} meta mark != 0 ct mark set meta mark
        }
}

# outbound traffic for guests, with states
table ip nat {
       chain postrouting {
	       type nat hook postrouting priority 100;
	       oif $nic ip saddr {{guest_network}} snat {{dirty_pub_prefix}}{{node_id}}
       }
}