add table inet dfw
flush table inet dfw
add chain inet dfw input { type filter hook input priority -5 ; }
add rule inet dfw input ct state invalid drop
add rule inet dfw input ct state { related, established } accept
add chain inet dfw forward { type filter hook forward priority -5 ; }
add rule inet dfw forward ct state invalid drop
add rule inet dfw forward ct state { related, established } accept
add table ip dfw
flush table ip dfw
add chain ip dfw prerouting { type nat hook prerouting priority -105 ; }
add chain ip dfw postrouting { type nat hook postrouting priority 95 ; }
add table ip6 dfw
flush table ip6 dfw
add chain ip6 dfw prerouting { type nat hook prerouting priority -105 ; }
add chain ip6 dfw postrouting { type nat hook postrouting priority 95 ; }
add rule inet dfw forward tcp dport 80 ip daddr $dst_ip=ip meta iifname eni oifname $output=bridge meta mark set 0xdf accept
add rule ip dfw prerouting tcp dport 8080 meta iifname eni meta mark set 0xdf dnat ${dst_ip=ip}:80
add rule ip6 dfw prerouting tcp dport 8080 meta iifname eni meta mark set 0xdf
add rule inet dfw input meta iifname docker0 meta mark set 0xdf accept