From 7dfc94233816738365895037599fdd5e38c107a5 Mon Sep 17 00:00:00 2001
From: FollieHiyuki <folliekazetani@protonmail.com>
Date: Tue, 22 Jun 2021 02:12:04 +0300
Subject: [PATCH] nftables: move nat to another table for visibility

---
 system/etc/nftables.conf | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/system/etc/nftables.conf b/system/etc/nftables.conf
index 455bede..ec468b6 100644
--- a/system/etc/nftables.conf
+++ b/system/etc/nftables.conf
@@ -34,11 +34,7 @@ table inet filter {
 		iifname "virbr0" counter reject with icmpx type port-unreachable
 	}
 
-	chain libvirt_postrouting {
-		ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 counter masquerade
-	}
-
-	# Default to drop all inbound traffic, unless they meet our criteria
+	# Default to drop all inbound traffic, unless they meet the criteria
 	chain input {
 		type filter hook input priority 0; policy drop;
 
@@ -131,6 +127,12 @@ table inet filter {
 		counter comment "Count accepted packets"
 		#log prefix "[nftables] Outbound Accepted: " flags all counter accept
 	}
+}
+
+table inet nat {
+	chain libvirt_postrouting {
+		ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 counter masquerade
+	}
 
 	chain postrouting {
 		type nat hook postrouting priority 100; policy accept;