It’s just a simple note.

#!/usr/sbin/nft -f

flush ruleset

table inet filter {
    set ssh_allow_v4 {
        type ipv4_addr
        flags interval
        elements = {
            <my trusted ip list>
        }
    }
    set ssh_allow_v6 {
        type ipv6_addr
        flags interval
        elements = {
            <my trusted ipv6 list>
        }
    }

    include "/etc/nftables.d/filter-global-*.conf";

    chain input {
        type filter hook input priority filter; policy drop;

        iif lo counter accept;
        iif != lo ip daddr 127.0.0.1/8 counter drop;
        iif != lo ip6 daddr ::1/128 counter drop;

        ip protocol icmp counter accept;
        ip6 nexthdr icmpv6 counter accept;

        ip saddr @ssh_allow_v4 tcp dport 22 counter accept;
        ip6 saddr @ssh_allow_v6 tcp dport 22 counter accept;

        include "/etc/nftables.d/filter-input-*.conf";

        ct state {established, related} counter accept;
    }
    chain forward {
        type filter hook forward priority filter; policy drop;

        include "/etc/nftables.d/filter-forward-*.conf";

        ct state {established, related} counter accept;
    }
    chain output {
        type filter hook output priority filter; policy drop;

        oifname "lo" counter accept;
        oifname "lo" ip daddr 127.0.0.1/8 counter drop;
        oifname "lo" ip6 daddr ::1/128 counter drop;

        ip protocol icmp counter accept;
        ip6 nexthdr icmpv6 counter accept;

        meta l4proto { tcp, udp } th dport 53 counter accept;
        udp dport 123 counter accept;
        tcp dport {80, 443} counter accept;

        meta l4proto { tcp, udp } th dport 1024-65535 counter accept;

        include "/etc/nftables.d/filter-output-*.conf";

        ct state {established, related} counter accept;
    }
}