Redesign of the nft firewall based on an existing Ansible playbook for the same purpose.

templates/nftables.conf.in

@@ -1,5 +1,13 @@
 #!/usr/sbin/nft -f
 
+#
+# Static firewall template.
+# This file contains shell-style placeholders ($VARS) that are replaced by fw-apply via envsubst.
+#
+# Important:
+# - We only manage table inet fw_static.
+# - We do NOT flush the entire ruleset (fail2ban rules remain intact).
+
 table inet fw_static {
 
   chain input {
@@ -11,10 +19,8 @@ table inet fw_static {
 
     # Public: ICMP (optional)
 $ICMP_PUBLIC_IN_RULES
-
     # Public: SSH IN (optional)
 $SSH_PUBLIC_IN_RULE
-
     # Private network (in)
     iif "$PRIV_IF" ip saddr $PRIV_NET accept
   }
@@ -26,12 +32,10 @@ $SSH_PUBLIC_IN_RULE
     oif "lo" accept
     ct state established,related accept
 
-   # Public: ICMP (optional)
+    # Public: ICMP (optional)
 $ICMP_PUBLIC_OUT_RULES
-
     # Public: APT OUT (optional) - includes DNS + HTTP/HTTPS
 $APT_PUBLIC_OUT_RULES
-
     # Private network (out)
     oif "$PRIV_IF" ip daddr $PRIV_NET accept
   }
@@ -41,3 +45,4 @@ $APT_PUBLIC_OUT_RULES
     policy drop;
   }
 }
+