qusal/salt/sys-wireguard/files/server/qubes-firewall.d/55-sys-wireguard-tunnel

#!/usr/sbin/nft -f
# vim: ft=nftables

# SPDX-FileCopyrightText: 2022 unman <unman@thirdeyesecurity.org>
# SPDX-FileCopyrightText: 2023 1cho1ce <https://github.com/1cho1ce>
# SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
#
# SPDX-License-Identifier: GPL-3.0-or-later

add chain ip  qubes output { type filter hook output priority 0; policy accept; }
add chain ip6 qubes output { type filter hook output priority 0; policy accept; }

flush chain ip  qubes custom-forward
flush chain ip6 qubes custom-forward
insert rule ip  qubes custom-forward iifgroup 1 drop
insert rule ip6 qubes custom-forward iifgroup 1 drop
insert rule ip  qubes custom-forward oifgroup 1 drop
insert rule ip6 qubes custom-forward oifgroup 1 drop

insert rule ip  qubes custom-input      meta l4proto icmp drop
insert rule ip6 qubes custom-input      meta l4proto icmp drop
insert rule ip  qubes output oifgroup 1 meta l4proto icmp drop
insert rule ip6 qubes output oifgroup 1 meta l4proto icmp drop