class firewall::rules::out::consul (
  String $ipset = 'consul',
) {

  # serf traffic (lan and wan)
  nftables::rule { 'default_out-consul_udp_8301':
    content => 'udp dport 8301 accept',
  }
  nftables::rule { 'default_out-consul_tcp_8301':
    content => 'tcp dport 8301 accept',
  }
  nftables::rule { 'default_out-consul_udp_8302':
    content => 'udp dport 8302 accept',
  }
  nftables::rule { 'default_out-consul_tcp_8302':
    content => 'tcp dport 8302 accept',
  }

  # communication with servers
  nftables::rule { 'default_out-consul_tcp_8300':
    content => "tcp dport 8300 ip daddr @${ipset} accept",
  }
  nftables::rule { 'default_out-consul_tcp_8500':
    content => "tcp dport 8500 ip daddr @${ipset} accept",
  }
  nftables::rule { 'default_out-consul_tcp_8503':
    content => "tcp dport 8503 ip daddr @${ipset} accept",
  }
}