#!/usr/sbin/nft -f

flush ruleset

table inet filter {
    chain input {
        type filter hook input priority 0;

        # Accept localhost
        iif lo accept

        # Accept WireGuard traffic
        udp dport 51820 accept

        # Allow traffic from wg0 only if defined later (allowlist approach)
        iif wg0 drop
    }

    chain forward {
        type filter hook forward priority 0;
        # Default deny
        drop
    }

    chain output {
        type filter hook output priority 0;
    }
}