rework firewall setup

bundles/wireguard/metadata.py

@@ -264,7 +264,8 @@ def interface_ips(metadata):
 
 
 @metadata_reactor.provides(
-    'nftables/rules/10-wireguard',
+    'nftables/forward/10-wireguard',
+    'nftables/postrouting/10-wireguard',
 )
 def snat(metadata):
     if not node.has_bundle('nftables') or node.os == 'arch':
@@ -272,13 +273,14 @@ def snat(metadata):
 
     snat_ip = metadata.get('wireguard/snat_ip', None)
 
-    rules = set()
+    forward = set()
+    postrouting = set()
     for peer, config in sorted(metadata.get('wireguard/peers', {}).items()):
-        rules.add(f'inet filter forward iifname wg_{config["iface"]} accept')
-        rules.add(f'inet filter forward oifname wg_{config["iface"]} accept')
+        forward.add(f'iifname wg_{config["iface"]} accept')
+        forward.add(f'oifname wg_{config["iface"]} accept')
 
         if snat_ip:
-            rules.add('nat postrouting ip saddr {} ip daddr != {} snat to {}'.format(
+            postrouting.add('ip saddr {} ip daddr != {} snat to {}'.format(
                 config['my_ip'],
                 config['their_ip'],
                 snat_ip,
@@ -286,8 +288,11 @@ def snat(metadata):
 
     return {
         'nftables': {
-            'rules': {
-                '10-wireguard': sorted(rules),
+            'forward': {
+                '10-wireguard': sorted(forward),
+            },
+            'postrouting': {
+                '10-wireguard': sorted(postrouting),
             },
         },
     }