#!/usr/sbin/nft -f

flush ruleset

# Counting IPv4 packets in `inet` tables:
# meta nfproto ipv4 counter accept

# NAT when routing packets from some VRF to "up" VRF
table inet nat {
	chain postrouting {
		type nat hook postrouting priority srcnat; policy accept;
		ip saddr 100.64.0.0/10 oif "up" counter masquerade
		# 192.0.2.2 is statically routed: stops working as soon as NAT is enabled
		# ip saddr 192.0.2.2/32 oif "up" counter masquerade
		accept # less noise in trace
	}

# pre kernel 4.18 needs this:
	chain prerouting {
		type nat hook prerouting priority -100; policy accept;
		accept # less noise in trace
	}
}

# Trace all IPv4:
# define filter hooks so we see packets tracing through them

table inet main {
	chain prerouting {
		type filter hook prerouting priority filter; policy accept;
		accept # less noise in trace
	}

	chain input {
		type filter hook input priority filter; policy accept;
		accept # less noise in trace
	}

	chain forward {
		type filter hook forward priority filter; policy accept;
		accept # less noise in trace
	}

	chain output {
		type filter hook output priority filter; policy accept;
		accept # less noise in trace
	}

	chain postrouting {
		type filter hook postrouting priority filter; policy accept;
		accept # less noise in trace
	}
}

# enable tracing for all IPv4 packets (either start in prerouting or output)
table ip traceall {
	chain prerouting {
		type filter hook prerouting priority -350; policy accept;
		meta nftrace set 1 accept
	}

	chain output {
		type filter hook output priority -350; policy accept;
		meta nftrace set 1 accept
	}
}