Add nftables config and conf-regen

conf/nftables/nftables.conf

@@ -0,0 +1,20 @@
+#!/usr/sbin/nft -f
+
+flush ruleset
+
+table inet filter {
+	chain input {
+		type filter hook input priority filter;
+	}
+	chain forward {
+		type filter hook forward priority filter;
+	}
+	chain output {
+		type filter hook output priority filter;
+	}
+}
+
+## Above is the standard nftables.conf
+## Below is to include YunoHost configuration
+
+include "/etc/nftables.d/*.conf"

conf/nftables/nftables.d/fail2ban.conf

@@ -0,0 +1 @@
+# FIXME:

conf/nftables/nftables.d/yunohost-firewall.tpl.conf

@@ -0,0 +1,21 @@
+#!/usr/sbin/nft -f
+
+{% set tcp_ports = tcp_ports.strip().split(' ') -%}
+{% set udp_ports = udp_ports.strip().split(' ') -%}
+
+table inet filter {
+    chain input {
+        ct state related,established counter accept;
+
+        {% for port in tcp_ports %}
+        tcp dport {{port}} counter accept;
+        {%- endfor %}
+
+        {% for port in udp_ports %}
+        udp dport {{port}} counter accept;
+        {%- endfor %}
+
+        iifname "lo" counter accept;
+        ip protocol icmp counter accept;
+    }
+}

debian/control

@@ -34,8 +34,7 @@ Recommends: yunohost-admin, yunohost-portal (>= 12.0)
  , bash-completion, rsyslog
  , unattended-upgrades
  , libdbd-ldap-perl, libnet-dns-perl
-Conflicts: iptables-persistent
- , apache2
+Conflicts: apache2
  , bind9
  , openresolv
  , systemd-resolved

hooks/conf_regen/40-nftables

@@ -0,0 +1,59 @@
+#!/usr/bin/env bash
+#
+# Copyright (c) 2024 YunoHost Contributors
+#
+# This file is part of YunoHost (see https://yunohost.org)
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as
+# published by the Free Software Foundation, either version 3 of the
+# License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+set -e
+
+. /usr/share/yunohost/helpers
+
+do_pre_regen() {
+    pending_dir=$1
+
+    firewall_file="/etc/yunohost/firewall.yml"
+
+    tcp_ports=$(python3 -c "import yaml; print(' '.join(str(i) for i in yaml.safe_load(open('${firewall_file}', 'r'))['ipv4']['TCP'])) ")
+    udp_ports=$(python3 -c "import yaml; print(' '.join(str(i) for i in yaml.safe_load(open('${firewall_file}', 'r'))['ipv4']['UDP'])) ")
+
+    export tcp_ports udp_ports
+
+    # # Support different strategy for security configurations
+    # export compatibility="$(jq -r '.ssh_compatibility' <<< "$YNH_SETTINGS")"
+    # export port="$(jq -r '.ssh_port' <<< "$YNH_SETTINGS")"
+    # export password_authentication="$(jq -r '.ssh_password_authentication' <<< "$YNH_SETTINGS" | int_to_bool)"
+    # export ssh_keys=$(ls /etc/ssh/ssh_host_{ed25519,rsa,ecdsa}_key 2> /dev/null || true)
+
+    cd /usr/share/yunohost/conf/nftables
+    mkdir -p "${pending_dir}/etc/nftables.d"
+    cp nftables.conf "${pending_dir}/etc/nftables.conf"
+    ynh_render_template nftables.d/yunohost-firewall.tlp.conf "${pending_dir}/etc/nftables.d/yunohost-firewall.conf"
+}
+
+do_post_regen() {
+    regen_conf_files=$1
+
+    if ls -l /etc/nftables.d/*.conf; then
+        chown root:root /etc/nftables.d/*.conf
+        chmod 644 /etc/nftables.d/*.conf
+    fi
+
+    [[ -z "$regen_conf_files" ]] \
+        || systemctl reload nftables
+}
+
+do_$1_regen ${@:2}