#!/usr/sbin/nft -f

define vnet4 = 198.18.0.0/16
define vnet6 = 2001:db8:1234:5678::/80

table inet uniwall {

    map vmap4 { type ipv4_addr : ipv4_addr ; flags dynamic,timeout ; timeout 1m ; }
    map vmap6 { type ipv6_addr : ipv6_addr ; flags dynamic,timeout ; timeout 1m ; }

    chain rejectx {
        reject with icmpx type host-unreachable
        drop
    }

    chain dnat_tele4 {
        meta nfproto ipv4 meta l4proto tcp dnat ip to ip daddr map @vmap4
        meta nfproto ipv4 meta l4proto udp dnat ip to ip daddr map @vmap4
        goto rejectx
    }

    chain dnat_tele6 {
        meta nfproto ipv6 meta l4proto tcp dnat ip6 to ip6 daddr map @vmap6
        meta nfproto ipv6 meta l4proto udp dnat ip6 to ip6 daddr map @vmap6
        goto rejectx
    }

    chain dnat_map4 {
        ip daddr vmap {
            $vnet4 : goto dnat_tele4,
        }
        return
    }

    chain dnat_map6 {
        ip6 daddr vmap {
            $vnet6 : goto dnat_tele6,
        }
        return
    }

    chain nat_prerouting {
        type nat hook prerouting priority dstnat;

        meta nfproto vmap {
            ipv4 : jump dnat_map4,
            ipv6 : jump dnat_map6,
        }
    }

    chain nat_output {
        type nat hook output priority dstnat;

        meta nfproto vmap {
            ipv4 : jump dnat_map4,
            ipv6 : jump dnat_map6,
        }
    }

    chain nat_postrouting {
        type nat hook postrouting priority srcnat;

        meta oiftype != loopback masquerade
    }

}