{ hostName, config, lib, ... }:

let
  hostConfig = config.site.hosts.${hostName};

in
lib.mkIf hostConfig.firewall.enable {
  networking.firewall = {
    enable = true;
    extraCommands = ''
      ${lib.optional hostConfig.isRouter ''
        ip46tables -I nixos-fw -p ospfigp -j ACCEPT
      ''}

      ip46tables -A FORWARD -i core -m state --state ESTABLISHED,RELATED -j ACCEPT
      ip46tables -A FORWARD -i core -j REJECT
    '';
    extraStopCommands = ''
      ip46tables -F FORWARD
    '';
  };
}