[Unit]
Description=Performance West host firewall (nft input + DOCKER-USER egress-only)
After=docker.service nftables.service network-online.target
Wants=network-online.target
Requires=docker.service

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/sbin/nft -f /etc/pw-firewall/pw-firewall.nft
ExecStart=/usr/local/sbin/pw-docker-fw.sh
ExecReload=/usr/sbin/nft -f /etc/pw-firewall/pw-firewall.nft

[Install]
WantedBy=multi-user.target