#!/usr/sbin/nft -f

flush ruleset

table inet filter {
	chain input {
		type filter hook input priority filter; policy drop;
		# accept any localhost traffic
		iif lo accept
		# accept traffic originated from us
		ct state established,related accept
		# accept neighbour discovery otherwise connectivity breaks
		icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
	}
}