From 79e80221cd74b4055141699b59fcb51ecbce5601 Mon Sep 17 00:00:00 2001
From: Patrick Spek <p.spek@tyil.nl>
Date: Wed, 28 Feb 2024 11:35:01 +0100
Subject: Rename fw-nftables to nftables

---
 defaults                                | 38 +++++++------
 playbooks.d/fw-nftables/description.txt |  1 -
 playbooks.d/fw-nftables/etc/defaults    |  2 -
 playbooks.d/fw-nftables/playbook.bash   | 99 ---------------------------------
 playbooks.d/nftables/description.txt    |  1 +
 playbooks.d/nftables/etc/defaults       |  2 +
 playbooks.d/nftables/playbook.bash      | 99 +++++++++++++++++++++++++++++++++
 registry.d/plarabe.tyil.net             |  2 +-
 registry.d/qohrei.tyil.net              |  2 +-
 9 files changed, 124 insertions(+), 122 deletions(-)
 delete mode 100644 playbooks.d/fw-nftables/description.txt
 delete mode 100644 playbooks.d/fw-nftables/etc/defaults
 delete mode 100644 playbooks.d/fw-nftables/playbook.bash
 create mode 100644 playbooks.d/nftables/description.txt
 create mode 100644 playbooks.d/nftables/etc/defaults
 create mode 100644 playbooks.d/nftables/playbook.bash

diff --git a/defaults b/defaults
index 7beae20..6145aab 100644
--- a/defaults
+++ b/defaults
@@ -9,24 +9,26 @@ dns.upstream.3=2a03:94e0:1804::1
 dns.upstream.4=2001:470:71:6dc::53
 etc-nixos.path=/etc/nixos
 etc-portage.path=/etc/portage
-fw-nftables.input.icmp.ipv4.policy=accept
-fw-nftables.input.icmp.ipv4.rate=2/second
-fw-nftables.input.icmp.ipv6.policy=accept
-fw-nftables.input.icmp.ipv6.rate=2/second
-fw-nftables.input.interfaces.lo.policy=accept
-fw-nftables.input.policy=drop
-fw-nftables.input.rules.ssh.policy=accept
-fw-nftables.input.rules.ssh.port=22
-fw-nftables.input.rules.ssh.proto=tcp
-fw-nftables.input.rules.mosh.policy=accept
-fw-nftables.input.rules.mosh.port=60000-61000
-fw-nftables.input.rules.mosh.proto=udp
-fw-nftables.input.rules.wireguard.policy=accept
-fw-nftables.input.rules.wireguard.port=51820
-fw-nftables.input.rules.wireguard.proto=udp
-fw-nftables.input.state.established.policy=accept
-fw-nftables.input.state.invalid.policy=drop
-fw-nftables.input.state.related.policy=accept
+nftables.input.icmp.ipv4.policy=accept
+nftables.input.icmp.ipv4.rate=2/second
+nftables.input.icmp.ipv6.policy=accept
+nftables.input.icmp.ipv6.rate=2/second
+nftables.input.interfaces.lo.policy=accept
+nftables.input.interfaces.tyilnet.policy=accept
+nftables.input.interfaces.tyilnet1058.policy=accept
+nftables.input.policy=drop
+nftables.input.rules.ssh.policy=accept
+nftables.input.rules.ssh.port=22
+nftables.input.rules.ssh.proto=tcp
+nftables.input.rules.mosh.policy=accept
+nftables.input.rules.mosh.port=60000-61000
+nftables.input.rules.mosh.proto=udp
+nftables.input.rules.wireguard.policy=accept
+nftables.input.rules.wireguard.port=51820
+nftables.input.rules.wireguard.proto=udp
+nftables.input.state.established.policy=accept
+nftables.input.state.invalid.policy=drop
+nftables.input.state.related.policy=accept
 k3s-master.cluster-domain=k3s.tyil.nl
 k3s-master.helm.apps.certmanager.chart=jetstack/cert-manager
 k3s-master.helm.apps.certmanager.namespace=base-system
diff --git a/playbooks.d/fw-nftables/description.txt b/playbooks.d/fw-nftables/description.txt
deleted file mode 100644
index 38683d6..0000000
--- a/playbooks.d/fw-nftables/description.txt
+++ /dev/null
@@ -1 +0,0 @@
-Firewall through nftables
diff --git a/playbooks.d/fw-nftables/etc/defaults b/playbooks.d/fw-nftables/etc/defaults
deleted file mode 100644
index 10cc38b..0000000
--- a/playbooks.d/fw-nftables/etc/defaults
+++ /dev/null
@@ -1,2 +0,0 @@
-pkg.nftables=nftables
-svc.nftables=nftables
diff --git a/playbooks.d/fw-nftables/playbook.bash b/playbooks.d/fw-nftables/playbook.bash
deleted file mode 100644
index c0b366c..0000000
--- a/playbooks.d/fw-nftables/playbook.bash
+++ /dev/null
@@ -1,99 +0,0 @@
-#!/usr/bin/env bash
-
-playbook_add() {
-	pkg install nftables
-
-	playbook_sync
-
-	svc enable nftables
-	svc start nftables
-}
-
-playbook_sync() {
-	{
-		printf "#!%s -f\n\n" "$(config "$BASHTARD_PLAYBOOK.binpath" "/usr/sbin/nft")"
-		printf "flush ruleset\n\n"
-		printf "table inet filter {\n"
-		printf "\tchain input {\n"
-		printf "\t\ttype filter hook input priority filter;\n"
-
-		# Add conntrack state rules
-		info "$BASHTARD_PLAYBOOK/sync" "Adding input filter for conntrack state"
-		printf "\n"
-		printf "\t\tct state established %s;\n" \
-			"$(config "$BASHTARD_PLAYBOOK.input.state.established.policy" "accept")"
-		printf "\t\tct state related %s;\n" \
-			"$(config "$BASHTARD_PLAYBOOK.input.state.related.policy" "accept")"
-		printf "\t\tct state invalid %s;\n" \
-			"$(config "$BASHTARD_PLAYBOOK.input.state.invalid.policy" "drop")"
-
-		# Add interface rules
-		printf "\n"
-		while read -r interface
-		do
-			info "$BASHTARD_PLAYBOOK/sync" "Adding input filter for interface $interface"
-			printf "\t\tiifname %s %s;\n" "$interface" "$(config "$BASHTARD_PLAYBOOK.input.interfaces.$interface.policy")"
-		done < <(config_subkeys "$BASHTARD_PLAYBOOK.input.interfaces")
-
-		# Add ICMP rules
-		info "$BASHTARD_PLAYBOOK/sync" "Adding input filter for ICMP"
-		printf "\n"
-		printf "\t\tmeta l4proto icmp" \ # IPv4
-		if [[ "$(config "$BASHTARD_PLAYBOOK.input.icmp.ipv4.rate" "")" != "" ]]
-		then
-			printf " limit rate %s" "$(config "$BASHTARD_PLAYBOOK.input.icmp.ipv4.rate" "2/second")"
-		fi
-		printf " %s" "$(config "$BASHTARD_PLAYBOOK.input.icmp.ipv4.policy" "accept")"
-		printf ";\n"
-		printf "\t\tmeta l4proto ipv6-icmp" \ # IPv6
-		if [[ "$(config "$BASHTARD_PLAYBOOK.input.icmp.ipv6.rate" "")" != "" ]]
-		then
-			printf " limit rate %s" "$(config "$BASHTARD_PLAYBOOK.input.icmp.ipv6.rate")"
-		fi
-		printf " %s" "$(config "$BASHTARD_PLAYBOOK.input.icmp.ipv6.policy" "accept")"
-		printf ";\n"
-
-		# Add custom input rules
-		printf "\n"
-		while read -r rule
-		do
-			info "$BASHTARD_PLAYBOOK/sync" "Adding input filter for custom rule $rule"
-			printf "\t\tmeta l4proto { %s } th" "$(config "$BASHTARD_PLAYBOOK.input.rules.$rule.proto")"
-			printf " dport %s" "$(config "$BASHTARD_PLAYBOOK.input.rules.$rule.port")"
-			printf " %s" "$(config "$BASHTARD_PLAYBOOK.input.rules.$rule.policy" "accept")"
-			printf " comment \"%s\"" "$rule"
-			printf ";\n"
-		done < <(config_subkeys "$BASHTARD_PLAYBOOK.input.rules")
-
-		# Add fallback policy
-		printf "\n"
-		printf "\t\tlog prefix \"[nftables] \" counter drop;\n"
-		printf "\t\tpolicy %s;\n" "$(config "$BASHTARD_PLAYBOOK.input.policy" "drop")"
-
-		printf "\t}\n"
-		printf "\tchain forward {\n"
-		printf "\t\ttype filter hook forward priority filter;\n"
-
-		# TODO: Add forward rules
-
-		printf "\t}\n"
-		printf "\tchain output {\n"
-		printf "\t\ttype filter hook output priority filter;\n"
-
-		# TODO: Add output rules
-
-		printf "\t}\n"
-		printf "}\n"
-	} > "$(config "fs.etcdir")/nftables.conf"
-
-	[[ "$BASHTARD_COMMAND" == "add" ]] && return
-
-	svc restart nftables
-}
-
-playbook_del() {
-	svc stop nftables
-	svc disable nftables
-	pkg uninstall nftables
-	rm -fr -- "$(config "fs.etcdir")/nftables"
-}
diff --git a/playbooks.d/nftables/description.txt b/playbooks.d/nftables/description.txt
new file mode 100644
index 0000000..38683d6
--- /dev/null
+++ b/playbooks.d/nftables/description.txt
@@ -0,0 +1 @@
+Firewall through nftables
diff --git a/playbooks.d/nftables/etc/defaults b/playbooks.d/nftables/etc/defaults
new file mode 100644
index 0000000..10cc38b
--- /dev/null
+++ b/playbooks.d/nftables/etc/defaults
@@ -0,0 +1,2 @@
+pkg.nftables=nftables
+svc.nftables=nftables
diff --git a/playbooks.d/nftables/playbook.bash b/playbooks.d/nftables/playbook.bash
new file mode 100644
index 0000000..c0b366c
--- /dev/null
+++ b/playbooks.d/nftables/playbook.bash
@@ -0,0 +1,99 @@
+#!/usr/bin/env bash
+
+playbook_add() {
+	pkg install nftables
+
+	playbook_sync
+
+	svc enable nftables
+	svc start nftables
+}
+
+playbook_sync() {
+	{
+		printf "#!%s -f\n\n" "$(config "$BASHTARD_PLAYBOOK.binpath" "/usr/sbin/nft")"
+		printf "flush ruleset\n\n"
+		printf "table inet filter {\n"
+		printf "\tchain input {\n"
+		printf "\t\ttype filter hook input priority filter;\n"
+
+		# Add conntrack state rules
+		info "$BASHTARD_PLAYBOOK/sync" "Adding input filter for conntrack state"
+		printf "\n"
+		printf "\t\tct state established %s;\n" \
+			"$(config "$BASHTARD_PLAYBOOK.input.state.established.policy" "accept")"
+		printf "\t\tct state related %s;\n" \
+			"$(config "$BASHTARD_PLAYBOOK.input.state.related.policy" "accept")"
+		printf "\t\tct state invalid %s;\n" \
+			"$(config "$BASHTARD_PLAYBOOK.input.state.invalid.policy" "drop")"
+
+		# Add interface rules
+		printf "\n"
+		while read -r interface
+		do
+			info "$BASHTARD_PLAYBOOK/sync" "Adding input filter for interface $interface"
+			printf "\t\tiifname %s %s;\n" "$interface" "$(config "$BASHTARD_PLAYBOOK.input.interfaces.$interface.policy")"
+		done < <(config_subkeys "$BASHTARD_PLAYBOOK.input.interfaces")
+
+		# Add ICMP rules
+		info "$BASHTARD_PLAYBOOK/sync" "Adding input filter for ICMP"
+		printf "\n"
+		printf "\t\tmeta l4proto icmp" \ # IPv4
+		if [[ "$(config "$BASHTARD_PLAYBOOK.input.icmp.ipv4.rate" "")" != "" ]]
+		then
+			printf " limit rate %s" "$(config "$BASHTARD_PLAYBOOK.input.icmp.ipv4.rate" "2/second")"
+		fi
+		printf " %s" "$(config "$BASHTARD_PLAYBOOK.input.icmp.ipv4.policy" "accept")"
+		printf ";\n"
+		printf "\t\tmeta l4proto ipv6-icmp" \ # IPv6
+		if [[ "$(config "$BASHTARD_PLAYBOOK.input.icmp.ipv6.rate" "")" != "" ]]
+		then
+			printf " limit rate %s" "$(config "$BASHTARD_PLAYBOOK.input.icmp.ipv6.rate")"
+		fi
+		printf " %s" "$(config "$BASHTARD_PLAYBOOK.input.icmp.ipv6.policy" "accept")"
+		printf ";\n"
+
+		# Add custom input rules
+		printf "\n"
+		while read -r rule
+		do
+			info "$BASHTARD_PLAYBOOK/sync" "Adding input filter for custom rule $rule"
+			printf "\t\tmeta l4proto { %s } th" "$(config "$BASHTARD_PLAYBOOK.input.rules.$rule.proto")"
+			printf " dport %s" "$(config "$BASHTARD_PLAYBOOK.input.rules.$rule.port")"
+			printf " %s" "$(config "$BASHTARD_PLAYBOOK.input.rules.$rule.policy" "accept")"
+			printf " comment \"%s\"" "$rule"
+			printf ";\n"
+		done < <(config_subkeys "$BASHTARD_PLAYBOOK.input.rules")
+
+		# Add fallback policy
+		printf "\n"
+		printf "\t\tlog prefix \"[nftables] \" counter drop;\n"
+		printf "\t\tpolicy %s;\n" "$(config "$BASHTARD_PLAYBOOK.input.policy" "drop")"
+
+		printf "\t}\n"
+		printf "\tchain forward {\n"
+		printf "\t\ttype filter hook forward priority filter;\n"
+
+		# TODO: Add forward rules
+
+		printf "\t}\n"
+		printf "\tchain output {\n"
+		printf "\t\ttype filter hook output priority filter;\n"
+
+		# TODO: Add output rules
+
+		printf "\t}\n"
+		printf "}\n"
+	} > "$(config "fs.etcdir")/nftables.conf"
+
+	[[ "$BASHTARD_COMMAND" == "add" ]] && return
+
+	svc restart nftables
+}
+
+playbook_del() {
+	svc stop nftables
+	svc disable nftables
+	pkg uninstall nftables
+	rm -fr -- "$(config "fs.etcdir")/nftables"
+}
diff --git a/registry.d/plarabe.tyil.net b/registry.d/plarabe.tyil.net
index b401121..f93a766 100644
--- a/registry.d/plarabe.tyil.net
+++ b/registry.d/plarabe.tyil.net
@@ -1,2 +1,2 @@
-fw-nftables
+nftables
 vpn-tinc
diff --git a/registry.d/qohrei.tyil.net b/registry.d/qohrei.tyil.net
index a9f3dcb..1fa2dc8 100644
--- a/registry.d/qohrei.tyil.net
+++ b/registry.d/qohrei.tyil.net
@@ -1,3 +1,3 @@
-fw-nftables
+nftables
 vpn-tinc
 vpn-wireguard
-- 
cgit v1.1