#!/usr/bin/nft -f

# This file is part of https://github.com/random-archer/mkinitcpio-systemd-tool

# Provides firewall when running inside initrd
# see: https://wiki.archlinux.org/index.php/Nftables

# file location in initramfs:
# /etc/nftables.conf

# file location in real-root:
# /etc/mkinitcpio-systemd-tool/config/initrd-nftables.conf

# note:
# * more nft examples are in /usr/share/nftables/
# * make sure SSHD_PORT matches dropbear or tinysshd

define SSHD_PORT = 22

table inet filter {
	set knockd4-allow {
		type ipv4_addr
		timeout 7d
	}
	set knockd4-step2 {
		type ipv4_addr
		timeout 5s
	}
	set knockd4-step1 {
		type ipv4_addr
		timeout 5s
	}
	set knockd6-allow {
		type ipv6_addr
		timeout 7d
	}
	set knockd6-step2 {
		type ipv6_addr
		timeout 5s
	}
	set knockd6-step1 {
		type ipv6_addr
		timeout 5s
	}
	chain input {
		type filter hook input priority 0; policy drop;
		ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate 1/second accept
		ip6 nexthdr icmpv6 icmpv6 type echo-request counter drop
		ip protocol icmp icmp type echo-request limit rate 1/second accept
		ip protocol icmp icmp type echo-request counter drop
		ct state {established, related} accept
		ct state invalid drop
		tcp dport $SSHD_PORT ip saddr @knockd4-allow accept
		ip saddr @knockd4-step2 tcp dport $SSHD_PORT set add ip saddr @knockd4-allow
		ip saddr @knockd4-step1 tcp dport $SSHD_PORT set add ip saddr @knockd4-step2
		tcp dport $SSHD_PORT set add ip saddr @knockd4-step1
		tcp dport $SSHD_PORT ip6 saddr @knockd6-allow accept
		ip6 saddr @knockd6-step2 tcp dport $SSHD_PORT set add ip6 saddr @knockd6-allow
		ip6 saddr @knockd6-step1 tcp dport $SSHD_PORT set add ip6 saddr @knockd6-step2
		tcp dport $SSHD_PORT set add ip6 saddr @knockd6-step1
		ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-reply, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept
		ip protocol icmp icmp type { destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept
		reject
	}
	chain forward {
		type filter hook forward priority 0; policy accept;
		accept
	}
	chain output {
		type filter hook output priority 0; policy accept;
	}
}