bundles/nftables: store rules in dedicated files instead of nftables.conf

2021-12-14 14:03:13 +01:00 · 2021-12-14 14:03:13 +01:00 · 0101e0c92d
commit 0101e0c92d
parent 1742f51778
11 changed files with 77 additions and 102 deletions
--- a/bundles/wireguard/metadata.py
+++ b/bundles/wireguard/metadata.py
@ -18,16 +18,6 @@ defaults = {
            },
        },
    },
-    'nftables': {
-        'rules': {
-            'forward': {
-                'wireguard': [
-                    'iif wg0 accept',
-                    'oif wg0 accept',
-                ],
-            },
-        },
-    },
    'wireguard': {
        'privatekey': repo.libs.keys.gen_privkey(repo, f'{node.name} wireguard privatekey'),
    },
@ -221,17 +211,20 @@ def interface_ips(metadata):


@metadata_reactor.provides(
-    'nftables/rules/nat_postrouting',
+    'nftables/rules/10-wireguard',
 )
 def snat(metadata):
    if not node.has_bundle('nftables'):
        raise DoNotRunAgain

-    rules = set()
+    rules = {
+        'inet filter forward iif wg0 accept',
+        'inet filter forward oif wg0 accept',
+    }

    for config in metadata.get('wireguard/peers', {}).values():
        if 'snat_to' in config:
-            rules.add('ip saddr {} ip daddr != {} snat to {}'.format(
+            rules.add('nat postrouting ip saddr {} ip daddr != {} snat to {}'.format(
                config['my_ip'],
                config['their_ip'],
                config['snat_to'],
@ -240,7 +233,7 @@ def snat(metadata):
    return {
        'nftables': {
            'rules': {
-                'nat_postrouting': rules,
+                '10-wireguard': sorted(rules),
            },
        },
    }