From 74ab982cf1a28a9a3c1807ad14804b20738ec912 Mon Sep 17 00:00:00 2001
From: Mohammed Amar-Bensaber <renken@shione.net>
Date: Tue, 8 Oct 2024 22:35:31 +0200
Subject: nftables: fix broken displace logic

It seems that my package was broken due to a somewhat misinterpretation
of `config-package-dev` documentation.
---
 debian/nftables-config.displace           |   2 +-
 debian/nftables-config.displace-extension |   1 +
 debian/nftables-config.install            |   2 +-
 files/etc/nftables.conf                   | 122 ------------------------------
 files/etc/nftables.conf.shione            | 122 ++++++++++++++++++++++++++++++
 5 files changed, 125 insertions(+), 124 deletions(-)
 create mode 100644 debian/nftables-config.displace-extension
 delete mode 100644 files/etc/nftables.conf
 create mode 100644 files/etc/nftables.conf.shione

diff --git a/debian/nftables-config.displace b/debian/nftables-config.displace
index a8c1aeb..b7219e7 100644
--- a/debian/nftables-config.displace
+++ b/debian/nftables-config.displace
@@ -1 +1 @@
-/etc/nftables.conf
+/etc/nftables.conf.shione
diff --git a/debian/nftables-config.displace-extension b/debian/nftables-config.displace-extension
new file mode 100644
index 0000000..7e14126
--- /dev/null
+++ b/debian/nftables-config.displace-extension
@@ -0,0 +1 @@
+.shione
diff --git a/debian/nftables-config.install b/debian/nftables-config.install
index acb7d4c..f0be58a 100644
--- a/debian/nftables-config.install
+++ b/debian/nftables-config.install
@@ -1 +1 @@
-files/etc/nftables.conf /etc/
+files/etc/nftables.conf.shione /etc/
diff --git a/files/etc/nftables.conf b/files/etc/nftables.conf
deleted file mode 100644
index 5d851f0..0000000
--- a/files/etc/nftables.conf
+++ /dev/null
@@ -1,122 +0,0 @@
-#!/usr/sbin/nft -f
-
-flush ruleset
-
-define eth_iface = enp1s0
-define wg_iface = wg0
-define wg_port = 51820
-define dns_port = 53
-define srt_input_udp_port = 60001
-define srt_output_port = 60000
-define srb2kart_port = 5029
-define syncthing_port = 22000
-define syncthing_gui_port = 8384
-
-table inet filter {
-  chain input_ipv4 {
-    # accepting ping (icmp-echo-request) for diagnostic purposes.
-    # However, it also lets probes discover this host is alive.
-    # This sample accepts them within a certain rate limit:
-      icmp type echo-request limit rate 5/second accept
-  }
-
-  chain input_ipv6 {
-    # accept neighbour discovery otherwise connectivity breaks
-    icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
-
-    # accepting ping (icmpv6-echo-request) for diagnostic purposes.
-    # However, it also lets probes discover this host is alive.
-    # This sample accepts them within a certain rate limit:
-    icmpv6 type echo-request limit rate 5/second accept
-  }
-
-  chain input_world {
-    udp dport {
-      $wg_port
-    } accept
-  }
-
-  chain input_vpn {
-    # TODO: Should we limit source address space?
-    #
-    # ip saddr 10.8.0.0/32
-
-    # Allow VPN to use DNS.
-    tcp dport {
-      $dns_port,
-      $syncthing_port,
-      $syncthing_gui_port,
-    } accept
-
-    udp dport {
-      $dns_port,
-      $srt_input_udp_port,
-      $syncthing_port,
-    } accept
-  }
-
-  chain input {
-    # By default, drop all traffic unless it meets a filter
-    # criteria specified by the rules that follow below.
-    type filter hook input priority 0; policy drop;
-
-    # Allow traffic from established and related packets, drop invalid
-    ct state vmap { established : accept, related : accept, invalid : drop }
-
-    # Jump to chain according to layer 3 protocol using a verdict map
-    meta protocol vmap { ip : jump input_ipv4, ip6 : jump input_ipv6 }
-
-    # Allow traffic for/from both the world and VPN.
-    tcp dport {
-      ssh,
-      http,
-      https,
-    } accept
-
-    udp dport {
-      $srt_output_port,
-      $srb2kart_port,
-    } accept
-
-    # allow loopback traffic, anything else jump to chain for further evaluation
-    iifname vmap { lo : accept, $eth_iface : jump input_world, $wg_iface : jump input_vpn }
-
-    # Uncomment to enable logging of denied input traffic
-    # log prefix "[nftables] input Denied: " counter drop
-
-    # Reject with polite "port unreachable" icmp response
-    reject
-  }
-
-  chain forward {
-    # Drop everything (assumes this device is not a router)
-    # type filter hook forward priority filter;
-    type filter hook forward priority 0; policy drop;
-
-    # Forward all icmp/icmpv6 packets
-    meta l4proto { icmp, ipv6-icmp } accept
-
-    # Allow traffic from established and related packets, drop invalid
-    ct state vmap { established : accept, related : accept, invalid : drop }
-
-    # Forward traffic within the VPN and between it and the outside world.
-    iifname $wg_iface oifname $wg_iface counter accept;
-    iifname $wg_iface oifname $eth_iface counter accept;
-    iifname $eth_iface oifname $eth_iface counter accept;
-
-    # Reject with polite "host unreachable" icmp response
-    reject with icmpx type host-unreachable
-  }
-
-  chain prerouting {
-    type nat hook prerouting priority 0;
-  }
-
-  chain postrouting {
-    type nat hook postrouting priority 100; policy accept;
-    # Masquerade all packets from WireGuard VPN to the outside world.
-    iifname $wg_iface oifname $eth_iface masquerade
-  }
-
-  # no need to define output chain, default policy is accept if undefined.
-}
diff --git a/files/etc/nftables.conf.shione b/files/etc/nftables.conf.shione
new file mode 100644
index 0000000..5d851f0
--- /dev/null
+++ b/files/etc/nftables.conf.shione
@@ -0,0 +1,122 @@
+#!/usr/sbin/nft -f
+
+flush ruleset
+
+define eth_iface = enp1s0
+define wg_iface = wg0
+define wg_port = 51820
+define dns_port = 53
+define srt_input_udp_port = 60001
+define srt_output_port = 60000
+define srb2kart_port = 5029
+define syncthing_port = 22000
+define syncthing_gui_port = 8384
+
+table inet filter {
+  chain input_ipv4 {
+    # accepting ping (icmp-echo-request) for diagnostic purposes.
+    # However, it also lets probes discover this host is alive.
+    # This sample accepts them within a certain rate limit:
+      icmp type echo-request limit rate 5/second accept
+  }
+
+  chain input_ipv6 {
+    # accept neighbour discovery otherwise connectivity breaks
+    icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
+
+    # accepting ping (icmpv6-echo-request) for diagnostic purposes.
+    # However, it also lets probes discover this host is alive.
+    # This sample accepts them within a certain rate limit:
+    icmpv6 type echo-request limit rate 5/second accept
+  }
+
+  chain input_world {
+    udp dport {
+      $wg_port
+    } accept
+  }
+
+  chain input_vpn {
+    # TODO: Should we limit source address space?
+    #
+    # ip saddr 10.8.0.0/32
+
+    # Allow VPN to use DNS.
+    tcp dport {
+      $dns_port,
+      $syncthing_port,
+      $syncthing_gui_port,
+    } accept
+
+    udp dport {
+      $dns_port,
+      $srt_input_udp_port,
+      $syncthing_port,
+    } accept
+  }
+
+  chain input {
+    # By default, drop all traffic unless it meets a filter
+    # criteria specified by the rules that follow below.
+    type filter hook input priority 0; policy drop;
+
+    # Allow traffic from established and related packets, drop invalid
+    ct state vmap { established : accept, related : accept, invalid : drop }
+
+    # Jump to chain according to layer 3 protocol using a verdict map
+    meta protocol vmap { ip : jump input_ipv4, ip6 : jump input_ipv6 }
+
+    # Allow traffic for/from both the world and VPN.
+    tcp dport {
+      ssh,
+      http,
+      https,
+    } accept
+
+    udp dport {
+      $srt_output_port,
+      $srb2kart_port,
+    } accept
+
+    # allow loopback traffic, anything else jump to chain for further evaluation
+    iifname vmap { lo : accept, $eth_iface : jump input_world, $wg_iface : jump input_vpn }
+
+    # Uncomment to enable logging of denied input traffic
+    # log prefix "[nftables] input Denied: " counter drop
+
+    # Reject with polite "port unreachable" icmp response
+    reject
+  }
+
+  chain forward {
+    # Drop everything (assumes this device is not a router)
+    # type filter hook forward priority filter;
+    type filter hook forward priority 0; policy drop;
+
+    # Forward all icmp/icmpv6 packets
+    meta l4proto { icmp, ipv6-icmp } accept
+
+    # Allow traffic from established and related packets, drop invalid
+    ct state vmap { established : accept, related : accept, invalid : drop }
+
+    # Forward traffic within the VPN and between it and the outside world.
+    iifname $wg_iface oifname $wg_iface counter accept;
+    iifname $wg_iface oifname $eth_iface counter accept;
+    iifname $eth_iface oifname $eth_iface counter accept;
+
+    # Reject with polite "host unreachable" icmp response
+    reject with icmpx type host-unreachable
+  }
+
+  chain prerouting {
+    type nat hook prerouting priority 0;
+  }
+
+  chain postrouting {
+    type nat hook postrouting priority 100; policy accept;
+    # Masquerade all packets from WireGuard VPN to the outside world.
+    iifname $wg_iface oifname $eth_iface masquerade
+  }
+
+  # no need to define output chain, default policy is accept if undefined.
+}
-- 
cgit v1.2.3