bundles/pppd: allow dynamic configuration of nftables rules

bundles/pppd/files/ip-up

@@ -3,6 +3,9 @@
 INTERFACE=$1
 
 echo "add rule nat postrouting oif $INTERFACE masquerade" > /etc/nftables-rules.d/90-pppd
+% for rule in sorted(nftables):
+echo "add rule ${rule}" >> /etc/nftables-rules.d/90-pppd
+% endfor
 echo "net.ipv6.conf.$INTERFACE.accept_ra=2" > /etc/sysctl.d/90-pppd.conf
 
 if systemctl is-active nftables;

bundles/pppd/items.py

@@ -59,6 +59,10 @@ files = {
     },
     '/etc/ppp/ip-up.d/nftables': {
         'source': 'ip-up',
+        'content_type': 'mako',
+        'context': {
+            'nftables': node.metadata.get('pppd/nftables-rules.d', set()),
+        },
         'mode': '0755',
     },
     '/etc/ppp/peers/provider': {

nodes/home/router.py

@@ -105,8 +105,6 @@ nodes['home.router'] = {
                 '50-router': [
                     # This is a router. Allow forwarding traffic for internal networks.
                     'inet filter forward ct state { related, established } accept',
-                    'inet filter forward iif enp1s0.23 oif ppp0 accept',
-                    'inet filter forward iif enp1s0.42 accept',
 
                     # yaaaaay, IPv6! No NAT!
                     'inet filter forward ip6 nexthdr ipv6-icmp accept',
@@ -148,6 +146,10 @@ nodes['home.router'] = {
                 'username': vault.decrypt('encrypt$gAAAAABfr8DLAJhmUIhdxLq83I8MnRRvkRgDZcO8Brvw1KpvplC3K8ZGj0jIIWD3Us33vIP6t0ybd_mgD8slpRUk78Kqd3BMoQ=='),
                 'password': vault.decrypt('encrypt$gAAAAABfr8Cq5M1hweeJTQAl0dLhFntdlw-QnkIYUQpY-_ycODVWOpyeAwjwOgWLSdsdXIUvqcoiXPZPV-BE12p5C42NGnj9r7sKYpoGz8xfuGIk6haMa2g='),
             },
+            'nftables-rules.d': {
+                'inet filter forward iif enp1s0.23 oif $INTERFACE accept',
+                'inet filter forward iif enp1s0.42 accept',
+            },
         },
         'unbound': {
             'restrict-to': {