modify nodes and bundles for new nftables syntax

2021-06-03 13:59:15 +02:00 · 2021-06-03 13:59:15 +02:00 · d569b00960
commit d569b00960
parent ecb67d012b
30 changed files with 172 additions and 126 deletions
--- a/bundles/wireguard/metadata.py
+++ b/bundles/wireguard/metadata.py
@ -18,12 +18,14 @@ defaults = {
            },
        },
    },
-    'iptables': {
-        'bundle_rules': {
-            'wireguard': [
-                'iptables_both -A FORWARD -i wg0 -j ACCEPT',
-                'iptables_both -A FORWARD -o wg0 -j ACCEPT',
-            ],
+    'nftables': {
+        'rules': {
+            'forward': {
+                'wireguard': [
+                    'iif wg0 accept',
+                    'oif wg0 accept',
+                ],
+            },
        },
    },
    'wireguard': {
@ -149,9 +151,9 @@ def icinga2(metadata):


@metadata_reactor.provides(
-    'iptables/port_rules',
+    'firewall/port_rules',
 )
-def iptables(metadata):
+def firewall(metadata):
    sources = set(metadata.get('wireguard/restrict-to', set()))
    for peer_name in metadata.get('wireguard/peers'):
        try:
@ -162,7 +164,7 @@ def iptables(metadata):
            sources.add(peer_name)

    return {
-        'iptables': {
+        'firewall': {
            'port_rules': {
                '51820/udp': atomic(sources),
            },