{% if ansible_prolog -%}
{% from 'templates/ansible/prolog.j2' import prolog with context %}
{{ prolog() }}
{% endif -%}
#
#  Configuration file for ferm(1).
#

# Detecting network interface assiociated with default route
@def $NETDEV = `ip route list | sed -r -n 's/^default\s+via\s+.*\s+dev\s+([^\s]+)$/\1/p'`;
# Detecting list of bridge network interfaces
@def $BRIDGES = `ip link show up | sed -r -n 's/^[0-9]:\s+((xen|)br[^:]+):\s+.*$/\1/p' | xargs`;

# Default policies
domain (ip ip6) {
    table filter {
        chain (INPUT FORWARD) policy DROP;
        chain OUTPUT policy ACCEPT;
    }
}

# Allow all on lo interface
domain (ip ip6) table filter {
    chain INPUT interface lo ACCEPT;
    chain OUTPUT outerface lo ACCEPT;
}

# Allow ipv6 protocol specifics
domain ip table filter chain (INPUT OUTPUT) protocol (ipv6 ipv6-icmp) ACCEPT;

# Allow icmp-echo
domain (ip ip6) table filter chain (INPUT OUTPUT) protocol icmp icmp-type echo-request ACCEPT;

# Drop invalid packets
domain (ip ip6) table filter chain INPUT mod state state INVALID DROP;

# Established/related connections
domain (ip ip6) table filter chain (INPUT OUTPUT) mod state state (ESTABLISHED RELATED) ACCEPT;

domain (ip ip6) {
    table filter {
        chain INPUT {
            # standard ports we allow from the outside
            @if @not(@eq(@length(NETDEV),0)) {
                interface ($NETDEV) {
                    proto (udp tcp) dport ({{ firewall_public | join(' ') }}) ACCEPT;
                }
            }
{% if firewall_private is defined %}
{% for fwconf in firewall_private %}
            interface {{ fwconf.interface }}{% if fwconf.networks is defined %} saddr ({{ fwconf.networks | join(' ') }}){% endif %} {
                proto (udp tcp) dport ({{ fwconf.ports | join(' ') }}) ACCEPT;
            }
{% endfor %}
{% endif %}
            {% if not firewall_debug %}#{% endif %}LOG log-prefix "ferm INPUT REJECT: " log-level warning;
            REJECT;
        }
{% if firewall_private is defined %}
        chain OUTPUT {
{% for fwconf in firewall_private %}
{% if fwconf.users is defined %}
            outerface {{ fwconf.interface }} {
                mod owner uid-owner ({{ fwconf.users | join(' ') }}) ACCEPT;
                {% if not firewall_debug %}#{% endif %}LOG log-prefix "ferm OUTPUT REJECT: " log-level warning;
                REJECT;
            }
{% endif %}
{% endfor %}
        }
{% endif %}
        chain FORWARD {
            @if @not(@eq(@length(BRIDGES),0)) {
                interface ($BRIDGES) {
                    ACCEPT;
                }
            } @else {
                {% if not firewall_debug %}#{% endif %}LOG log-prefix "ferm FORWARD REJECT: " log-level warning;
                REJECT;
            }
        }
    }
}