From 2b06c77439fb79f86ab390219ca90f1946c7c43a Mon Sep 17 00:00:00 2001
From: Franziska Kunsmann <hi@kunsmann.eu>
Date: Tue, 14 Dec 2021 16:18:11 +0100
Subject: [PATCH] bundles/pppd: allow dynamic configuration of nftables rules

---
 bundles/pppd/files/ip-up | 3 +++
 bundles/pppd/items.py    | 4 ++++
 nodes/home/router.py     | 6 ++++--
 3 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/bundles/pppd/files/ip-up b/bundles/pppd/files/ip-up
index 6d04d47..8eba2b9 100644
--- a/bundles/pppd/files/ip-up
+++ b/bundles/pppd/files/ip-up
@@ -3,6 +3,9 @@
 INTERFACE=$1
 
 echo "add rule nat postrouting oif $INTERFACE masquerade" > /etc/nftables-rules.d/90-pppd
+% for rule in sorted(nftables):
+echo "add rule ${rule}" >> /etc/nftables-rules.d/90-pppd
+% endfor
 echo "net.ipv6.conf.$INTERFACE.accept_ra=2" > /etc/sysctl.d/90-pppd.conf
 
 if systemctl is-active nftables;
diff --git a/bundles/pppd/items.py b/bundles/pppd/items.py
index b55f0c5..c908449 100644
--- a/bundles/pppd/items.py
+++ b/bundles/pppd/items.py
@@ -59,6 +59,10 @@ files = {
     },
     '/etc/ppp/ip-up.d/nftables': {
         'source': 'ip-up',
+        'content_type': 'mako',
+        'context': {
+            'nftables': node.metadata.get('pppd/nftables-rules.d', set()),
+        },
         'mode': '0755',
     },
     '/etc/ppp/peers/provider': {
diff --git a/nodes/home/router.py b/nodes/home/router.py
index eca665f..4994a1c 100644
--- a/nodes/home/router.py
+++ b/nodes/home/router.py
@@ -105,8 +105,6 @@ nodes['home.router'] = {
                 '50-router': [
                     # This is a router. Allow forwarding traffic for internal networks.
                     'inet filter forward ct state { related, established } accept',
-                    'inet filter forward iif enp1s0.23 oif ppp0 accept',
-                    'inet filter forward iif enp1s0.42 accept',
 
                     # yaaaaay, IPv6! No NAT!
                     'inet filter forward ip6 nexthdr ipv6-icmp accept',
@@ -148,6 +146,10 @@ nodes['home.router'] = {
                 'username': vault.decrypt('encrypt$gAAAAABfr8DLAJhmUIhdxLq83I8MnRRvkRgDZcO8Brvw1KpvplC3K8ZGj0jIIWD3Us33vIP6t0ybd_mgD8slpRUk78Kqd3BMoQ=='),
                 'password': vault.decrypt('encrypt$gAAAAABfr8Cq5M1hweeJTQAl0dLhFntdlw-QnkIYUQpY-_ycODVWOpyeAwjwOgWLSdsdXIUvqcoiXPZPV-BE12p5C42NGnj9r7sKYpoGz8xfuGIk6haMa2g='),
             },
+            'nftables-rules.d': {
+                'inet filter forward iif enp1s0.23 oif $INTERFACE accept',
+                'inet filter forward iif enp1s0.42 accept',
+            },
         },
         'unbound': {
             'restrict-to': {