docker-open5gs-prod-999700/osmoepdg/nftables.conf

#!/usr/sbin/nft -f
# rules for ipsec traffic using classic xfrm translation

table ip filter {
	chain INPUT {
		type filter hook input priority filter; policy accept;
	}

	chain FORWARD {
		type filter hook forward priority filter; policy drop;
		meta ipsec exists oifname == "EPDG_TUN_INTERFACE" counter accept comment "All decoded ipsec traffic forwarded to osmo-epdg";
		iifname "EPDG_TUN_INTERFACE" meta mark GTP_TRAFFIC_FWMARK accept comment "Accept all traffic from the gtp interface";
	}

	chain OUTPUT {
		type filter hook output priority filter; policy accept;
	}
}
table ip mangle {
	chain OUTPUT {
		type route hook output priority mangle; policy accept;
	}

	chain PREROUTING {
		type filter hook prerouting priority mangle; policy accept;
		meta ipsec exists meta mark set IPSEC_TRAFFIC_FWMARK comment "Route incoming ipsec decoded pkts to osmo-epdg";
		meta iifname "EPDG_TUN_INTERFACE" meta mark set GTP_TRAFFIC_FWMARK comment "Route incoming gtp decoded pkts from osmo-epdg";
	}

	chain POSTROUTING {
		type filter hook postrouting priority mangle; policy accept;
	}

	chain INPUT {
		type filter hook input priority mangle; policy accept;
	}

	chain FORWARD {
		type filter hook forward priority mangle; policy accept;
	}
}