{#- vim: set sw=4 ts=4 sts=4 et : #}
table inet filter {
    set allow_tcp_in {
        type inet_service
        flags interval
        elements = {
{% for item in allow_incoming if item.protocol|d('tcp') == 'tcp' %}
            {{ item.port }},
{% endfor %}
        }
    }

    set allow_udp_in {
        type inet_service
        flags interval
        elements = {
{% for item in allow_incoming if item.protocol|d('tcp') == 'udp' %}
            {{ item.port }},
{% endfor %}
        }
    }

    chain input {
        ct state established,related accept
        iif lo accept
        ip6 nexthdr ipv6-icmp accept
        ip protocol icmp accept
        udp sport dhcpv6-server counter accept
        iif != {{ internet_iface }} tcp dport @allow_tcp_in ct state new counter accept
        iif != {{ internet_iface }} udp dport @allow_udp_in ct state new counter accept
        iif {{ internet_iface }} drop
        pkttype != host drop
    }
}