{% if network.nat is defined %}
{%  set natifs = [] %}
{%  for nif in network.nat if not nif.intdevice in natifs %}
{%    if loop.index == 1 %}
scrub in all
{%    endif %}
{%    do natifs.append(nif.intdevice) %}
{%    if nif.ipv4 is defined %}
{{     'nat on %s inet from %s:network to any -> (%s)' | format(nif.extdevice, nif.intdevice, nif.extdevice) }}
{%    endif %}
{%    if nif.ipv6 is defined %}
{{     'nat on %s inet6 from %s:network to any -> (%s)' | format(nif.extdevice, nif.intdevice, nif.extdevice) }}
{%    endif %}
{%  endfor %}

{%  for nif in network.nat %}
{%    for fwd in (nif.forwards | default({})) %}
{%      if fwd.to is defined and nif.ipv4 is defined %}
{%        set proto = ('proto %s' | format(fwd.protocol | default('tcp'))) %}
{%        set srcaddr = 'any' %}
{%        set srcport = '' %}
{%        if fwd.from is defined %}
{%          set srcaddr = ('%s' | format(fwd.from.ipv4 | default('any') )) %}
{%          set srcport = ('port %s' | format(fwd.from.port)) if fwd.from.port is defined else '' %}
{%        endif %}
{%        set destaddr = ('%s' | format(network.devices[nif.extdevice].ipv4)) if network.devices[nif.extdevice].ipv4 is defined else '' %}
{%        set destport = ('port %s' | format(fwd.to.port)) if fwd.to.port is defined else '' %}
{%        set natport = ('port %s' | format(fwd.to.natport)) if fwd.to.natport is defined else '' %}
{%        set rule = 'rdr on %s inet %s from %s %s to %s %s -> %s %s' | format(nif.extdevice, proto, srcaddr, srcport, destaddr, destport, nif.ipv4 | regex_replace("/[0-9]*", ""), natport) %}
{{        rule | regex_replace('\\s+', ' ') | trim() }}
{%      endif %}
{%      if fwd.to is defined and nif.ipv6 is defined %}
{%        set proto = ('proto %s' | format(fwd.protocol | default('tcp'))) %}
{%        set srcaddr = 'any' %}
{%        set srcport = '' %}
{%        if fwd.from is defined %}
{%          set srcaddr = ('%s' | format(fwd.from.ipv6 | default('any') )) %}
{%          set srcport = ('port %s' | format(fwd.from.port)) if fwd.from.port is defined else '' %}
{%        endif %}
{%        set destaddr = ('%s' | format(network.devices[nif.extdevice].ipv6)) if network.devices[nif.extdevice].ipv6 is defined else '' %}
{%        set destport = ('port %s' | format(fwd.to.port)) if fwd.to.port is defined else '' %}
{%        set natport = ('port %s' | format(fwd.to.natport)) if fwd.to.natport is defined else '' %}
{%        set rule = 'rdr on %s inet6 %s from %s %s to %s %s -> %s %s' | format(nif.extdevice, proto, srcaddr, srcport, destaddr, destport, nif.ipv6 | regex_replace("/[0-9]*", ""), natport) %}
{{        rule | regex_replace('\\s+', ' ') | trim() }}
{%      endif %}
{%    endfor %}
{%  endfor %}
{% endif %}

{% if network.firewall is defined %}
{%   for rl in (firewall.rules | default({})) %}
{%     set dir = ('%s' | format(rl.direction)) if rl.direction is defined else '' %}
{%     set if = ('on %s' | format(rl.interface)) if rl.interface is defined else '' %}
{%     set af = ('%s' | format(rl.af)) if rl.af is defined else '' %}
{%     set proto = ('proto %s' | format(rl.protocol)) if rl.protocol is defined else '' %}
{%     set srcaddr = ('from %s' | format(rl.src_address)) if rl.src_address is defined else '' %}
{%     set srcport = ('port %s' | format(rl.src_port)) if rl.src_port is defined else '' %}
{%     set dstaddr = ('to %s' | format(rl.dst_address)) if rl.dst_address is defined else '' %}
{%     set dstport = ('port %s' | format(rl.dst_port)) if rl.dst_port is defined else '' %}
{%     set rule = '%s %s %s %s %s %s %s %s %s' | format(rl.action, dir, if, af, proto, srcaddr, srcport, dstaddr, dstport) %} 
{{     rule | regex_replace('\\s+', ' ') | trim() }}
{%   endfor %}
{% endif %}