#!/usr/bin/nft
flush ruleset

define SSH_PORT1 = 22
define SSH_PORT2 = 8022

table ip filter {
	set allowed_tcp_ports {
		type inet_service;
		flags constant;
		elements = { $SSH_PORT1, $SSH_PORT2 };
	}
	chain in {
		type filter hook input priority filter; policy drop;
		ct state invalid drop;
		ct state {related,established} accept;
		tcp dport @allowed_tcp_ports accept;
	}
	chain forward {
		type filter hook forward priority filter; policy drop;
	}

	chain out {
		type filter hook output priority filter; policy drop;
	}
}