#!/bin/bash

set -e

RULESET="table ip filter {
	map ipsec_in {
		typeof ipsec in reqid . iif : verdict
		flags interval
	}

	chain INPUT {
		type filter hook input priority 0; policy drop
		ipsec in reqid . iif vmap @ipsec_in
	}
}"

$NFT -f - <<< $RULESET