Convert firewall to nftables.

Debian Buster uses the nftables framework by default.

2 files changed, 0 insertions, 83 deletions

diff --git a/roles/common/files/etc/network/if-post-down.d/iptables b/roles/common/files/etc/network/if-post-down.d/iptables
deleted file mode 100755
index d27977d..0000000
--- a/roles/common/files/etc/network/if-post-down.d/iptables
+++ /dev/null
@@ -1,36 +0,0 @@
-#!/bin/sh
-
-# A post-down hook to flush ip tables and delete custom chains in the
-# loaded v4 and v6 rulesets.
-# Copyright © 2013 Guilhem Moulin <guilhem@fripost.org>
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-set -ue
-PATH=/usr/sbin:/usr/bin:/sbin:/bin
-
-# Ignore the loopback interface; run the script for ifdown only.
-[ "$IFACE" != lo -a "$MODE" = stop ] || exit 0
-
-case "$ADDRFAM" in
-    inet)  ipts=/sbin/iptables-save;  ipt=/sbin/iptables;;
-    inet6) ipts=/sbin/ip6tables-save; ipt=/sbin/ip6tables;;
-    *)     exit 0
-esac
-
-$ipts | sed -nr 's/^\*//p' | \
-while read table; do
-    $ipt -t "$table" -F
-    $ipt -t "$table" -X
-done
diff --git a/roles/common/files/etc/network/if-pre-up.d/iptables b/roles/common/files/etc/network/if-pre-up.d/iptables
deleted file mode 100755
index 2b83cdc..0000000
--- a/roles/common/files/etc/network/if-pre-up.d/iptables
+++ /dev/null
@@ -1,47 +0,0 @@
-#!/bin/bash
-
-# A pre-up hook to auto-(re)load the iptables rulesets whenever the
-# network is brought up. If the action fails, an alert message is passed
-# to syslogd.
-# Copyright © 2013 Guilhem Moulin <guilhem@fripost.org>
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-set -uo pipefail
-PATH=/usr/sbin:/usr/bin:/sbin:/bin
-
-# NOTE: syslog starts after networking during the boot process, messages
-# won't be logged at boot time.
-log="/usr/bin/logger -st firewall"
-
-# Ignore the loopback interface; run the script for ifup only.
-[ "$IFACE" != lo -a "$MODE" = start ] || exit 0
-
-# We support only IPv4 and IPv6.
-[ "$ADDRFAM" = inet -o "$ADDRFAM" = inet6 ] || exit 0
-
-$log -p user.info -- "Loading $ADDRFAM firewall on interface $IFACE."
-
-case "$ADDRFAM" in
-    inet) iptr=/sbin/iptables-restore;  rules=rules.v4;;
-    inet6)iptr=/sbin/ip6tables-restore; rules=rules.v6;;
-esac
-rules="/etc/iptables/$rules"
-
-$iptr < $rules 2>&1 | $log -p user.err
-rv=$?
-
-[ $rv -gt 0 ] && $log -p user.alert \
-    "WARN: Failed to load iptables rulesets; the machine may be unprotected!"
-exit $rv