firewall/zones/prerezotage.nft

#! /sbin/nft -f

table inet firewall {

	set allowed_daddr_prerezotage {
		type ipv4_addr
		flags interval
		elements = {
			$comnpay,
			$website,
			$external_dns,
			$intranet
		}
	}


	chain to_prerezotage {
		accept
	}

	chain from_prerezotage {
		ip daddr != @allowed_daddr_prerezotage drop
	}

}

table nat {
	chain prerezotage_nat {
		snat to $ip_self_public
	}
}