cp over all the bundles from kunsis bw repo

bundles/nftables/files/nftables.conf

@@ -0,0 +1,47 @@
+#!/usr/sbin/nft -f
+
+flush ruleset
+
+table inet filter {
+    chain input {
+        type filter hook input priority 0
+        policy drop
+
+        tcp flags syn tcp option maxseg size 1-500 drop
+
+        ct state { established, related } accept
+        ct state invalid drop
+
+        iif lo accept
+
+        icmp type timestamp-request drop
+        icmp type timestamp-reply drop
+        ip protocol icmp accept
+
+        ip6 nexthdr ipv6-icmp accept
+    }
+
+    chain output {
+        type filter hook output priority 0
+        policy accept
+    }
+
+    chain forward {
+        type filter hook forward priority 0
+        policy drop
+
+        icmp type timestamp-request drop
+        icmp type timestamp-reply drop
+    }
+}
+
+table nat {
+    chain prerouting {
+        type nat hook prerouting priority -100
+    }
+    chain postrouting {
+        type nat hook postrouting priority 100
+    }
+}
+
+include "/etc/nftables-rules.d/*-*"

bundles/nftables/files/override.conf

@@ -0,0 +1,10 @@
+[Service]
+RemainAfterExit=yes
+
+ExecStart=
+ExecStart=/usr/sbin/nft -f /etc/nftables.conf
+ExecStart=/usr/local/sbin/apply-sysctl
+
+ExecReload=
+ExecReload=/usr/sbin/nft -f /etc/nftables.conf
+ExecReload=/usr/local/sbin/apply-sysctl

bundles/nftables/files/rules-template

@@ -0,0 +1,3 @@
+% for rule in rules:
+add rule ${rule}
+% endfor

bundles/nftables/items.py

@@ -0,0 +1,56 @@
+if node.has_bundle('pacman'):
+    package = 'pkg_pacman:nftables'
+else:
+    package = 'pkg_apt:nftables'
+
+directories = {
+    # used by other bundles
+    '/etc/nftables-rules.d': {
+        'purge': True,
+        'triggers': {
+            'svc_systemd:nftables:reload',
+        },
+    },
+}
+
+files = {
+    '/etc/nftables.conf': {
+        'needs': {
+            'directory:/etc/nftables-rules.d',
+        },
+        'triggers': {
+            'svc_systemd:nftables:reload',
+        },
+    },
+    '/etc/systemd/system/nftables.service.d/bundlewrap.conf': {
+        'source': 'override.conf',
+        'triggers': {
+            'action:systemd-reload',
+            'svc_systemd:nftables:reload',
+        },
+    },
+}
+
+for ruleset, rules in node.metadata.get('nftables/rules', {}).items():
+    files[f'/etc/nftables-rules.d/{ruleset}'] = {
+        'source': 'rules-template',
+        'content_type': 'mako',
+        'context': {
+            'rules': rules,
+        },
+        'needed_by': {
+            'svc_systemd:nftables',
+        },
+        'triggers': {
+            'svc_systemd:nftables:reload',
+        },
+    }
+
+svc_systemd = {
+    'nftables': {
+        'needs': {
+            'file:/etc/nftables.conf',
+            package,
+        },
+    },
+}

bundles/nftables/metadata.py

@@ -0,0 +1,96 @@
+from bundlewrap.exceptions import BundleError
+
+defaults = {
+    'apt': {
+        'packages': {
+            'nftables': {},
+        },
+    },
+    'pacman': {
+        'packages': {
+            'nftables': {},
+# https://github.com/bundlewrap/bundlewrap/issues/688
+#            'iptables': {
+#                'installed': False,
+#                'needed_by': {
+#                    'pkg_pacman:iptables-nft',
+#                },
+#            },
+            'iptables-nft': {
+                'needed_by': {
+                    'pkg_pacman:nftables',
+                },
+            },
+        },
+    },
+}
+
+if not node.has_bundle('vmhost'):
+    # see comment in bundles/vmhost/items.py
+    defaults['apt']['packages']['iptables'] = {
+        'installed': False,
+        'needed_by': {
+            'pkg_apt:nftables',
+        },
+    }
+
+@metadata_reactor.provides(
+    'nftables/rules/99-port_rules',
+)
+def port_rules_to_nftables(metadata):
+    # Using this, bundles can simply set up port based rules. This
+    # reactor will then take care of converting those rules to actual
+    # nftables rules
+    ruleset = set()
+
+    # Plese note we do not set any defaults for ports. Bundles are
+    # expected to know themselves which default to use.
+    for portdef, targets in metadata.get('firewall/port_rules', {}).items():
+        if '/' in portdef:
+            port, proto = portdef.split('/', 2)
+
+            if proto not in {'udp'}:
+                raise BundleError(f'firewall/port_rules: illegal identifier {portdef} in metadata for {node.name}')
+        else:
+            port = portdef
+            proto = 'tcp'
+
+        for target in targets:
+            if port == '*' and target == '*':
+                raise BundleError('firewall/port_rules: setting both port and target to * is unsupported')
+
+            comment = f'comment "port_rules {target}"'
+
+            if port != '*':
+                if ':' in port:
+                    parts = port.split(':')
+                    port_str = f'{proto} dport {{ {parts[0]}-{parts[1]} }}'
+                else:
+                    port_str = f'{proto} dport {port}'
+            else:
+                port_str = f'meta l4proto {proto}'
+
+            if target in ('ipv4', 'ipv6'):
+                version_str = f'meta nfproto {target}'
+            else:
+                version_str = ''
+
+            if target in ('*', 'ipv4', 'ipv6'):
+                ruleset.add(f'inet filter input {version_str} {port_str} accept {comment}')
+            else:
+                resolved = repo.libs.tools.resolve_identifier(repo, target)
+
+                for address in resolved['ipv4']:
+                    ruleset.add(f'inet filter input meta nfproto ipv4 {port_str} ip saddr {address} accept {comment}')
+
+                for address in resolved['ipv6']:
+                    ruleset.add(f'inet filter input meta nfproto ipv6 {port_str} ip6 saddr {address} accept {comment}')
+
+    return {
+        'nftables': {
+            'rules': {
+                # order does not matter here.
+                '99-port_rules': sorted(ruleset),
+            },
+        },
+    }