{ pkgs, ... }: {
  networking = {
    firewall.checkReversePath = false;
    nat.enable = false;
    nftables = {
      enable = true;
      tables = {
        "cloonar-fw" = {
          family = "inet";
          content = ''
            chain output {
              type filter hook output priority 100; policy accept;
            }

            chain rpfilter {
              type filter hook prerouting priority mangle + 10; policy drop;
              meta nfproto ipv4 udp sport . udp dport { 68 . 67, 67 . 68 } accept comment "DHCPv4 client/server"
              fib saddr . mark . iif oif exists accept
            }

            chain input {
              type filter hook input priority filter; policy drop;
              iifname "lo" accept comment "trusted interfaces"
              ct state vmap { invalid : drop, established : accept, related : accept, new : jump input-allow, untracked : jump input-allow }
              tcp flags syn / fin,syn,rst,ack log prefix "refused connection: " level info
            }

            chain input-allow {
              udp dport != { 53, 5353 } ct state new limit rate over 1/second burst 10 packets drop comment "rate limit for new connections"
              iifname lo accept
              iifname "wan" udp dport 51820 counter accept comment "Wireguard traffic"
              iifname { "server", "vserver", "lan", "wg_cloonar" } counter accept comment "allow trusted to router"
              iifname { "multimedia", "smart" } udp dport { 53, 5353 } counter accept comment "DNS"

              # Accept mDNS for avahi reflection
              iifname "server" ip saddr 10.42.97.20/32 tcp dport { llmnr } counter accept
              iifname "server" ip saddr 10.42.97.20/32 udp dport { mdns, llmnr } counter accept

              # Allow all returning traffic
              ct state { established, related } counter accept

              # Allow returning traffic from wrwks and drop everthing else
              iifname "wrwks" ct state { established, related } counter accept
              iifname "wrwks" drop

              # Allow returning traffic from wg_epicenter and drop everthing else
              iifname "wg_epicenter" ct state { established, related } counter accept
              iifname "wg_epicenter" drop

              # Allow returning traffic from wg_ghetto_at and drop everthing else
              iifname "wg_ghetto_at" ct state { established, related } counter accept
              iifname "wg_ghetto_at" drop

              # Allow returning traffic from wan and drop everthing else
              iifname "wan" ct state { established, related } accept comment "Allow established traffic"
              iifname "wan" icmp type { echo-request, destination-unreachable, time-exceeded } counter accept comment "Allow select ICMP"
              iifname "wan" counter drop comment "Drop all other unsolicited traffic from wan"

              limit rate 60/minute burst 100 packets log prefix "Input - Drop: " comment "Log any unmatched traffic"
            }

            chain forward {
              type filter hook forward priority filter; policy drop;

              iifname "wg_cloonar" counter accept comment "test wireguard"

              iifname "wg_cloonar" oifname lo counter accept comment "wireguard to server"

              # enable flow offloading for better throughput
              # ip protocol { tcp, udp } flow offload @f

              # multimedia airplay
              iifname "multimedia" oifname { "lan" } counter accept
              iifname "multimedia" oifname "server" tcp dport { 1704, 1705 } counter accept
              iifname "lan" oifname "server" udp dport { 5000, 5353, 6001 - 6011 } counter accept
              # avahi
              iifname "server" ip saddr 10.42.97.20/32 oifname { "lan" } counter accept

              # smart home coap
              iifname "smart" oifname "server" ip daddr 10.42.97.20/32 udp dport { 5683 } counter accept

              # Forward to git server
              oifname "server" ip daddr 10.42.97.50 tcp dport { 22, 80, 443 } counter accept 

              # lan and vpn to any
              # TODO: disable wan when finished
              iifname { "lan", "server", "vserver", "wg_cloonar" } oifname { "lan", "vb-*", "server", "vserver", "infrastructure", "multimedia", "smart", "wg_cloonar" } counter accept
              iifname { "lan", "server", "wg_cloonar" } oifname { "wrwks", "wg_epicenter", "wg_ghetto_at" } counter accept
              iifname { "infrastructure" } oifname { "server", "vserver" } counter accept

              # accept palword server
              iifname { "wan", "lan" } oifname "podman0" udp dport { 8211, 27015 } counter accept

              # allow all established, related
              ct state { established, related } accept comment "Allow established traffic"

              # Allow trusted network WAN access
              iifname {
                "lan",
                "infrastructure",
                "server",
                "vserver",
                "multimedia",
                "smart",
                "wg_cloonar",
                "podman*",
                "guest",
                "vb-*",
              } oifname {
                "wan",
              } counter accept comment "Allow trusted LAN to WAN"

              limit rate 60/minute burst 100 packets log prefix "Forward - Drop: " comment "Log any unmatched traffic"
            }
          '';
        };
        "cloonar-nat" = {
          family = "ip";
          content = ''
            chain prerouting {
              type nat hook prerouting priority filter; policy accept;
              iifname "wan" tcp dport { 22, 80, 443 } dnat to 10.42.97.50
            }

            # Setup NAT masquerading on external interfaces
            chain postrouting {
              type nat hook postrouting priority filter; policy accept;
              oifname { "wan", "wg_cloonar", "wrwks", "wg_epicenter", "wg_ghetto_at" } masquerade
              ip daddr 10.42.97.50 masquerade
            }
          '';
        };
      };
    };
  };
}