#!/usr/bin/env -S nft -f

table inet {{ vpn_wireguard_iface }}_inet {
        chain forward {
                type filter hook forward priority 0;
                iif {{ vpn_wireguard_iface }} tcp flags syn tcp option maxseg size set rt mtu;
                oif {{ vpn_wireguard_iface }} tcp flags syn tcp option maxseg size set rt mtu;
        }
{% if vpn_wireguard_role == "server" %}

        chain postrouting {
                type nat hook postrouting priority 100;
                iif {{ vpn_wireguard_iface }} oif {{ ansible_default_ipv4.interface }} masquerade;
        }
{% endif %}
}