#!/usr/sbin/nft -f

flush ruleset

table inet filter {
    chain input {
        type filter hook input priority filter; policy drop;

        iif lo accept comment "Accept localhost traffic"
        ct state invalid drop comment "Drop invalid connections"
        ct state established,related accept comment "Accept established and related connections"
        meta l4proto { icmp, ipv6-icmp } accept comment "Accept ICMP/ICMPv6 traffic"
        ip protocol igmp accept comment "Accept IGMP traffic"

        udp dport mdns accept comment "Accept mDNS"
    }
}