[Unit]
Description=Firewall for Risotto
After=network.target

[Service]
Type=oneshot
RemainAfterExit=yes
%for %%dns in %%machined.machines
%set %%machine = %%normalize_family(%%dns)
%set %%outgoing = %%machined['machine_' + %%machine]['outgoing_ports_' + %%machine]
  %if %%outgoing
    %for %%port in %%outgoing
      %if ':' in %%port
%set %%protocol, %%port = %%port.split(':')
      %else
%set %%protocol = 'tcp'
      %end if
ExecStart=/sbin/iptables -t nat -A POSTROUTING -s %%get_ip(%%dns) -p %%protocol -m %%protocol --dport %%port -o %%output_interface -j MASQUERADE
ExecStop=-/sbin/iptables -t nat -D POSTROUTING -s %%get_ip(%%dns) -p %%protocol -m %%protocol --dport %%port -o %%output_interface -j MASQUERADE
    %end for
  %end if
%end for

[Install]
WantedBy=multi-user.target