From 57e7f057c6b477440d95fe811d3c0d8fc0b368db Mon Sep 17 00:00:00 2001
From: LinuxSquare <7436714-OfficialLinuxSquare@users.noreply.gitlab.com>
Date: Fri, 20 Oct 2023 14:27:22 +0200
Subject: [PATCH] Switch from iptables to nftables, add separate network states

---
 network/files/firewall_rules.nft.jinja       | 12 ++++++++++
 {system => network}/files/network_interfaces |  0
 {system => network}/firewall.sls             | 20 ++++++++---------
 system/network.sls => network/init.sls       |  8 +++----
 system/files/firewall_rules.v4.jinja         | 23 --------------------
 system/init.sls                              |  2 --
 top.sls                                      |  1 +
 7 files changed, 27 insertions(+), 39 deletions(-)
 create mode 100644 network/files/firewall_rules.nft.jinja
 rename {system => network}/files/network_interfaces (100%)
 rename {system => network}/firewall.sls (50%)
 rename system/network.sls => network/init.sls (75%)
 delete mode 100644 system/files/firewall_rules.v4.jinja

diff --git a/network/files/firewall_rules.nft.jinja b/network/files/firewall_rules.nft.jinja
new file mode 100644
index 0000000..20b4858
--- /dev/null
+++ b/network/files/firewall_rules.nft.jinja
@@ -0,0 +1,12 @@
+# This file is managed by Saltstack. (State {{ STATE }})
+
+#!/usr/sbin/nft
+
+table inet filter {
+  chain input {
+    tcp dport 22 accept
+    {% for port in ALLOWED_PORTS %}
+    tcp dport {{ port }} accept
+    {% endfor %}
+  }
+}
\ No newline at end of file
diff --git a/system/files/network_interfaces b/network/files/network_interfaces
similarity index 100%
rename from system/files/network_interfaces
rename to network/files/network_interfaces
diff --git a/system/firewall.sls b/network/firewall.sls
similarity index 50%
rename from system/firewall.sls
rename to network/firewall.sls
index 17171d6..d52369d 100644
--- a/system/firewall.sls
+++ b/network/firewall.sls
@@ -1,12 +1,12 @@
-system_firewall_pkgs:
+network_firewall_pkgs:
   pkg.installed:
     - pkgs:
-      - iptables
+      - nftables
 
-system_firewall_rules:
+network_firewall_rules:
   file.managed:
-    - name: /etc/iptables/rules-save
-    - source: salt://{{ tpldir }}/files/firewall_rules.v4.jinja
+    - name: /etc/nftables.d/noveria.nft
+    - source: salt://{{ tpldir }}/files/firewall_rules.nft.jinja
     - template: jinja
     - context:
         STATE: {{ sls }}
@@ -16,15 +16,15 @@ system_firewall_rules:
     - mode: '0600'
     - makedirs: true
     - require:
-      - system_firewall_pkgs
+      - network_firewall_pkgs
 
-system_firewall_service_reload:
+network_firewall_service_reload:
   service.running:
-    - name: iptables
+    - name: nftables
     - enable: true
     - reload: true
     - watch:
-      - system_firewall_rules
+      - network_firewall_rules
     - require:
-      - system_firewall_pkgs
+      - network_firewall_pkgs
   
diff --git a/system/network.sls b/network/init.sls
similarity index 75%
rename from system/network.sls
rename to network/init.sls
index 0bda3fd..8be14cb 100644
--- a/system/network.sls
+++ b/network/init.sls
@@ -1,7 +1,7 @@
 include:
-  - .base
+  - .firewall
 
-system_network_interfaces:
+network_interfaces:
   file.managed:
     - name: /etc/network/interfaces
     - source: salt://{{ tpldir }}/files/network_interfaces
@@ -11,10 +11,10 @@ system_network_interfaces:
     - require:
       - system_base_pkgs
 
-system_network_service_reload:
+network_service_reload:
   service.running:
     - name: networking
     - enable: true
     - reload: true
     - watch:
-      - system_network_interfaces
+      - system_network_interfaces
\ No newline at end of file
diff --git a/system/files/firewall_rules.v4.jinja b/system/files/firewall_rules.v4.jinja
deleted file mode 100644
index e1b594c..0000000
--- a/system/files/firewall_rules.v4.jinja
+++ /dev/null
@@ -1,23 +0,0 @@
-# This file is managed by Saltstack. (State {{ STATE }})
-
-*filter
-
-:INPUT DROP [0:0]
-:FORWARD DROP [0:0]
-:OUTPUT ACCEPT [0:0]
-
--A INPUT -i lo -j ACCEPT
-
--A INPUT ! -i lo -d 127.0.0.0/8 -j DROP
-
--A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-
--A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-
--A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-
-{% for port in ALLOWED_PORTS %}
--A INPUT -p tcp --dport {{ port }} -j ACCEPT
-{% endfor %}
-
-COMMIT
diff --git a/system/init.sls b/system/init.sls
index e7930e6..0086569 100644
--- a/system/init.sls
+++ b/system/init.sls
@@ -2,8 +2,6 @@ include:
   - .base
   - .bootloader
   - .disks
-  - .firewall
-  - .network
   - .user
   - .shell
   - .salt
diff --git a/top.sls b/top.sls
index df56b1b..4ae3cd7 100644
--- a/top.sls
+++ b/top.sls
@@ -1,5 +1,6 @@
 base:
   '*':
     - system
+    - network
     - applications
     - util