#
# nftables-system-ruleset - Basic nftables rules for bonding nodes
#
# This ruleset is only active when bonding is not running.
#

flush ruleset

table inet filter {
    chain input {
        type filter hook input priority filter; policy drop;
        ct state established,related accept
        ct state invalid drop

        # Load rules defined via salt as well as local customisations, if
        # present
        #
        include "/etc/bonding/nftables/filter-input-*.nft"

        # Allow ICMP/ICMPv6
        #
        ip protocol icmp accept
        ip6 nexthdr ipv6-icmp accept

        # Allow from loopback
        iifname lo accept
    }
}
