modify nodes and bundles for new nftables syntax

nodes/home/nas.py

@@ -55,7 +55,7 @@ nodes['home.nas'] = {
         'groups': {
             'nas': {},
         },
-        'iptables': {
+        'firewall': {
             'port_rules': {
                 '4679': { # Dell ULNM
                     '172.19.136.0/25',

nodes/home/router.py

@@ -94,24 +94,27 @@ nodes['home.router'] = {
             'vars.notification.sms': True
         },
 
-        'iptables': {
-            'custom_rules': [
-                # This is a router. Allow forwarding traffic for internal networks.
-                'iptables_both -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT',
-                'iptables_both -A FORWARD -i enp1s0.23 -o ppp0 -j ACCEPT',
-                'iptables_both -A FORWARD -i enp1s0.42 -j ACCEPT',
+        'nftables': {
+            'rules': {
+                'forward': {
+                    'router': [
+                        # This is a router. Allow forwarding traffic for internal networks.
+                        'ct state { related, established } accept',
+                        'iif enp1s0.23 oif ppp0 accept',
+                        'iif enp1s0.42 accept',
 
-                # External port 2022 should be home.nas
-                'iptables -t nat -A PREROUTING -p tcp --dport 2022 -j DNAT --to 172.19.138.20:22',
-                'iptables -A FORWARD -p tcp -d 172.19.138.20 --dport 22 -j ACCEPT',
-
-                # use MASQUERADE for tun0 (c3voc)
-                'iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE',
-
-                # yaaaaay, IPv6! No NAT!
-                'ip6tables -A FORWARD -p ipv6-icmp -j ACCEPT',
-                'ip6tables -A FORWARD -p tcp --dport 22 -j ACCEPT',
-            ],
+                        # yaaaaay, IPv6! No NAT!
+                        'ip6 nexthdr ipv6-icmp accept',
+                        'tcp dport 22 accept',
+                    ],
+                },
+                'nat_prerouting': [
+                    'tcp dport 2022 dnat 172.19.138.20:22',
+                ],
+                'nat_postrouting': [
+                    'oif tun0 masquerade',
+                ],
+            },
         },
         'netdata': {
             'restrict-to': {

nodes/htz-cloud/miniserver.py

@@ -83,13 +83,6 @@ nodes['htz-cloud.miniserver'] = {
         'icinga_options': {
             'vars.notification.sms': False,
         },
-        'iptables': {
-            'custom_rules': [
-                'iptables_both -A INPUT -p udp --dport 60000:61000 -j ACCEPT', # mosh
-                'iptables_both -A INPUT -p tcp --dport 9001 -j ACCEPT', # weechat
-
-            ],
-        },
         'letsencrypt': {
             'concat_and_deploy': {
                 'sophie-weechat': {
@@ -151,6 +144,16 @@ nodes['htz-cloud.miniserver'] = {
                 'bot_token': '""',
             },
         },
+        'nftables': {
+            'rules': {
+                'input': {
+                    'sophie-weechat': [
+                        'udp dport { 60000-61000 } accept',
+                        'tcp dport 9001 accept',
+                    ],
+                },
+            },
+        },
         'nginx': {
             'vhosts': {
                 #'dimension.sophies-kitchen.eu': {

nodes/htz/ex42-1048908.py

@@ -137,24 +137,6 @@ nodes['htz.ex42-1048908'] = {
         'icinga_options': {
             'pretty_name': 'kunsmann.eu',
         },
-        'iptables': {
-            # TODO move to bundles
-            'custom_rules': [
-                'iptables_both -A INPUT -p udp --dport 60000:61000 -j ACCEPT', # mosh
-                'iptables_both -A INPUT -p tcp --dport 9001 -j ACCEPT', # weechat
-
-                # libvirt rules. These are also added by libvirt itself,
-                # but they would be overridden by our own iptables
-                # management.
-                'iptables -A INPUT -i virbr0 -p udp --dport 53 -j ACCEPT',
-                'iptables -A INPUT -i virbr0 -p tcp --dport 53 -j ACCEPT',
-                'iptables -A INPUT -i virbr0 -p udp --dport 67:68 -j ACCEPT',
-                'iptables -A INPUT -i virbr0 -p tcp --dport 67:68 -j ACCEPT',
-                'iptables -A FORWARD -i virbr0 -j ACCEPT',
-                'iptables -A FORWARD -o virbr0 -j ACCEPT',
-                'iptables -t nat -A POSTROUTING -o enp0s31f6 -j MASQUERADE',
-            ],
-        },
         'letsencrypt': {
             'concat_and_deploy': {
                 'kunsi-weechat': {
@@ -247,6 +229,30 @@ nodes['htz.ex42-1048908'] = {
                 '@.*:franzi\\\\.business',
             },
         },
+        'nftables': {
+            'rules': {
+                'input': {
+                    'kunsi-weechat': [
+                        'udp dport { 60000-61000 } accept',
+                        'tcp dport 9001 accept',
+                    ],
+                    'libvirt': [
+                        'tcp dport 53 iif virbr0 accept',
+                        'udp dport 53 iif virbr0 accept',
+                        'udp dport { 67, 68 } iif virbr0 accept',
+                    ],
+                },
+                'forward': {
+                    'libvirt': [
+                        'iif virbr0 accept',
+                        'oif virbr0 accept',
+                    ],
+                },
+                'nat_postrouting': {
+                    'oif enp0s31f6 masquerade',
+                },
+            },
+        },
         'nginx': {
             'vhosts': {
                 # TODO maybe some of this can be moved to a bundle?

nodes/kunsi-t470.py

@@ -31,7 +31,7 @@ nodes['kunsi-t470'] = {
             },
             # there is also wlp4s0, but that's managed by netctl
         },
-        'iptables': {
+        'firewall': {
             'port_rules': {
                 # For the occasional file-share using `python -m http.server`
                 '8000': {'*'},