public_ip4="$(ip -4 addr show dev eth0 | grep -oP '(?<=inet\s)\d+(\.\d+){3}')"
public_ip6="$(ip -6 addr show dev eth0 | grep -oP '(?<=inet6\s)[\da-f:]+')"

lan_ips4="10.0.0.0/8"

LAN="enp7s0"
WAN="eth0"
CONTAINERS="vxlan+ flannel+ cni+ cali+ docker+ podman+"

server_k3s_ports="tcp/6443"
client_k3s_ports="6443"

version 6

# use snat to outgoing ip4 address
ipv4 snat to "${public_ip4}" outface ${WAN}

# enable ipv6 basic stuff on all interfaces
ipv6 interface any v6interop proto icmpv6
    client      ipv6neigh   accept
    server      ipv6neigh   accept
    client      ipv6router  accept
    server      ipv6router  accept
    client      ipv6mld     accept
    server      ipv6mld     accept

    policy                  return

# enable dhcpv6 on all interfaces
ipv6 interface any dhcpv6
    server      dhcpv6      accept
    client      dhcpv6      accept

    policy                  return

# allow everything on lan, containers
interface "${LAN} ${CONTAINERS}" lan
    policy                  accept

# protect from the internet
interface46 "${WAN}" internet src4 not "${UNROUTABLE_IPS}" dst4 "${public_ip4}" src6 not "${UNROUTABLE_IPS}" dst6 "${public_ip6}"
    protection 	strong
    client 	    all         accept

    server 	    ident       reject with tcp-reset

    server	    "http https"    	accept
    server	    "pop3 pop3s smtp smtps imap imaps sieve"    	accept
    server      "k3s" accept

# Accept all traffic from the container interfaces towards the internet or towards other containers. Note that
# This doesn't mean all traffic is allowed, since Kubernetes will have its own rules that will beat these.
router containers inface "${LAN} ${CONTAINERS}" outface "${LAN} ${CONTAINERS} ${WAN}"
    policy 	                    accept

# Connection between internet and lan
router internet2lan inface ${WAN} outface ${LAN}
    client 	    all 		accept		# allow all outgoing traffic, but I do think this is redundant with the containers policy