From bff77c7fb34e9ba0ae1f42ba920ff09f9faca30d Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Sun, 30 Jan 2022 16:05:53 +0100
Subject: wireguard/gateway: switch to nftables

---
 dan/ele-gwhetzner.yml                              |  3 +-
 dan/ele-media.yml                                  |  4 +-
 inventory/host_vars/ele-media.yml                  | 46 +++++++++++-----------
 roles/network/wireguard/gateway/handlers/main.yml  |  5 +++
 roles/network/wireguard/gateway/tasks/main.yml     | 18 ++-------
 .../wireguard/gateway/templates/nftables.rules.j2  | 26 ++++++++++++
 .../gateway/templates/systemd-iptables.service.j2  | 42 --------------------
 .../wireguard/gateway/templates/systemd.network.j2 |  5 ++-
 8 files changed, 66 insertions(+), 83 deletions(-)
 create mode 100644 roles/network/wireguard/gateway/templates/nftables.rules.j2
 delete mode 100644 roles/network/wireguard/gateway/templates/systemd-iptables.service.j2

diff --git a/dan/ele-gwhetzner.yml b/dan/ele-gwhetzner.yml
index 8dd65f13..bcd75bcd 100644
--- a/dan/ele-gwhetzner.yml
+++ b/dan/ele-gwhetzner.yml
@@ -9,4 +9,5 @@
   - role: core/ntp
   - role: network/wireguard/base
   - role: network/wireguard/p2p
-  # - role: network/wireguard/gateway
+  - role: network/nftables/base
+  - role: network/wireguard/gateway
diff --git a/dan/ele-media.yml b/dan/ele-media.yml
index e5509155..5f1fd826 100644
--- a/dan/ele-media.yml
+++ b/dan/ele-media.yml
@@ -13,8 +13,8 @@
   - role: apt-repo/spreadspace
   - role: kubernetes/base
   - role: kubernetes/standalone/base
-#  - role: network/wireguard/base
-#  - role: network/wireguard/gateway
+  - role: network/wireguard/base
+  - role: network/wireguard/gateway
 
 #  - role: dyndns/client
 #  - role: acmetool/base
diff --git a/inventory/host_vars/ele-media.yml b/inventory/host_vars/ele-media.yml
index e4239ed1..a0a203ba 100644
--- a/inventory/host_vars/ele-media.yml
+++ b/inventory/host_vars/ele-media.yml
@@ -64,6 +64,29 @@ zfs_pools:
     create_vdevs: raidz /dev/disk/by-id/ata-WDC_WD30EFRX-68EUZN0_WD-WCC4N2AYHY8E /dev/disk/by-id/ata-WDC_WD30EFRX-68EUZN0_WD-WCC4ND0PVLUE /dev/disk/by-id/ata-WDC_WD30EFRX-68EUZN0_WD-WCC4N6PJ1CSJ /dev/disk/by-id/ata-WDC_WD30EFRX-68EUZN0_WD-WCC4N3YN09NC
 
 
+wireguard_keys:
+  gwhetzner:
+    pub: "YO78lnFJdlGnKxBrtVZF4QXF7bpF8rAP7yF97klWLzg="
+    priv: "{{ vault_wireguard_priv_keys.gwhetzner }}"
+
+wireguard_gateway_tunnels:
+  wg-gwhetzner:
+    priv_key: "{{ wireguard_keys.gwhetzner.priv }}"
+    addresses:
+    - 192.168.254.2/30
+    default_gateway:
+      outer: 178.63.180.138
+      inner: 192.168.254.1
+    peers:
+    - pub_key: "{{ hostvars['ele-gwhetzner'].wireguard_keys.elemedia.pub }}"
+      endpoint:
+        host: 178.63.180.138 # TODO: fix this variable "{{ hostvars['ele-gwhetzner'].external_ip }}"
+        port: 51820
+      keepalive_interval: 15
+      allowed_ips:
+      - 0.0.0.0/0
+
+
 # dyndns:
 #   server: ch-pan
 
@@ -97,26 +120,3 @@ zfs_pools:
 #     lv: ncdata
 #     size: 150G
 #     fs: ext4
-
-
-# wireguard_keys:
-#   gwhetzner:
-#     pub: "YO78lnFJdlGnKxBrtVZF4QXF7bpF8rAP7yF97klWLzg="
-#     priv: "{{ vault_wireguard_priv_keys.gwhetzner }}"
-
-# wireguard_gateway_tunnels:
-#   wg-gwhetzner:
-#     priv_key: "{{ wireguard_keys.gwhetzner.priv }}"
-#     addresses:
-#     - 192.168.254.2/30
-#     default_gateway:
-#       outer: 178.63.180.138
-#       inner: 192.168.254.1
-#     peers:
-#     - pub_key: "{{ hostvars['ele-gwhetzner'].wireguard_keys.elemedia.pub }}"
-#       endpoint:
-#         host: 178.63.180.138 # TODO: fix this variable "{{ hostvars['ele-gwhetzner'].external_ip }}"
-#         port: 51820
-#       keepalive_interval: 15
-#       allowed_ips:
-#       - 0.0.0.0/0
diff --git a/roles/network/wireguard/gateway/handlers/main.yml b/roles/network/wireguard/gateway/handlers/main.yml
index 625032dc..4454e240 100644
--- a/roles/network/wireguard/gateway/handlers/main.yml
+++ b/roles/network/wireguard/gateway/handlers/main.yml
@@ -4,3 +4,8 @@
     daemon_reload: yes
     name: systemd-networkd
     state: restarted
+
+- name: reload nftables
+  service:
+    name: nftables
+    state: reloaded
diff --git a/roles/network/wireguard/gateway/tasks/main.yml b/roles/network/wireguard/gateway/tasks/main.yml
index bc14db1b..0234fc6c 100644
--- a/roles/network/wireguard/gateway/tasks/main.yml
+++ b/roles/network/wireguard/gateway/tasks/main.yml
@@ -26,25 +26,15 @@
     state: started
 
 
-- name: create iptables service unit
+- name: install nftables rules
   loop: "{{ wireguard_gateway_tunnels | dict2items }}"
   loop_control:
     label: "{{ item.key }}"
   when: "'ip_snat' in item.value or 'port_forwardings' in item.value"
   template:
-    src: systemd-iptables.service.j2
-    dest: "/etc/systemd/system/wireguard-gateway-{{ item.key }}-iptables.service"
-
-- name: enable/start iptables service unit
-  loop: "{{ wireguard_gateway_tunnels | dict2items }}"
-  loop_control:
-    label: "{{ item.key }}"
-  when: "'ip_snat' in item.value or 'port_forwardings' in item.value"
-  systemd:
-    daemon_reload: yes
-    name: "wireguard-gateway-{{ item.key }}-iptables.service"
-    enabled: yes
-    state: started
+    src: nftables.rules.j2
+    dest: "/etc/nftables.d/wireguard-gateway-{{ item.key }}.nft"
+  notify: reload nftables
 
 
 - name: install workaround for default-gateway handling
diff --git a/roles/network/wireguard/gateway/templates/nftables.rules.j2 b/roles/network/wireguard/gateway/templates/nftables.rules.j2
new file mode 100644
index 00000000..fcf4a21b
--- /dev/null
+++ b/roles/network/wireguard/gateway/templates/nftables.rules.j2
@@ -0,0 +1,26 @@
+# {{ ansible_managed }}
+{% if 'ip_snat' in item.value %}
+
+table ip nat {
+  chain wireguard-gateway-{{ item.key }}-snat {
+    type nat hook postrouting priority 100; policy accept;
+    ip saddr { {{ item.value.addresses | map('ipaddr', 'network/prefix') | join(', ') }} } oifname {{ item.value.ip_snat.interface }} snat to {{ item.value.ip_snat.to }}
+  }
+}
+{% endif %}
+{% if 'port_forwardings' in item.value %}
+
+table ip nat {
+  chain wireguard-gateway-{{ item.key }}-port-forwardings {
+    type nat hook prerouting priority -100; policy accept;
+{%   for forward in item.value.port_forwardings %}
+{%     for port in forward.tcp_ports | default([]) %}
+    ip daddr {{ forward.dest }} tcp dport {{ port }} dnat to {{ forward.tcp_ports[port] }}
+{%     endfor %}
+{%     for port in forward.udp_ports | default([]) %}
+    ip daddr {{ forward.dest }} udp dport {{ port }} dnat to {{ forward.udp_ports[port] }}
+{%     endfor %}
+{%   endfor %}
+  }
+}
+{% endif %}
diff --git a/roles/network/wireguard/gateway/templates/systemd-iptables.service.j2 b/roles/network/wireguard/gateway/templates/systemd-iptables.service.j2
deleted file mode 100644
index 11cf4b8a..00000000
--- a/roles/network/wireguard/gateway/templates/systemd-iptables.service.j2
+++ /dev/null
@@ -1,42 +0,0 @@
-[Unit]
-Wants=network-online.target
-After=network-online.target
-
-
-[Service]
-Type=oneshot
-
-{% if 'ip_snat' in item.value %}
-ExecStart=/usr/sbin/sysctl net.ipv4.ip_forward=1
-{%   for addr in item.value.addresses %}
-ExecStart=/sbin/iptables -t nat -A POSTROUTING -s {{ addr | ipaddr('network/prefix') }} -o {{ item.value.ip_snat.interface }} -j SNAT --to {{ item.value.ip_snat.to }}
-{%   endfor %}
-{% endif %}
-{% for forward in item.value.port_forwardings | default([]) %}
-{%   for port in forward.tcp_ports | default([]) %}
-ExecStart=/sbin/iptables -t nat -A PREROUTING -d {{ forward.dest }} -p tcp --dport {{ port }} -j DNAT --to {{ forward.tcp_ports[port] }}
-{%   endfor %}
-{%   for port in forward.udp_ports | default([]) %}
-ExecStart=/sbin/iptables -t nat -A PREROUTING -d {{ forward.dest }} -p udp --dport {{ port }} -j DNAT --to {{ forward.udp_ports[port] }}
-{%   endfor %}
-{% endfor %}
-
-{% if 'ip_snat' in item.value %}
-{%   for addr in item.value.addresses %}
-ExecStop=/sbin/iptables -t nat -D POSTROUTING -s {{ addr | ipaddr('network/prefix') }} -o {{ item.value.ip_snat.interface }} -j SNAT --to {{ item.value.ip_snat.to }}
-{%   endfor %}
-{% endif %}
-{% for forward in item.value.port_forwardings | default([]) %}
-{%   for port in forward.tcp_ports | default([]) %}
-ExecStop=/sbin/iptables -t nat -D PREROUTING -d {{ forward.dest }} -p tcp --dport {{ port }} -j DNAT --to {{ forward.tcp_ports[port] }}
-{%   endfor %}
-{%   for port in forward.udp_ports | default([]) %}
-ExecStop=/sbin/iptables -t nat -D PREROUTING -d {{ forward.dest }} -p udp --dport {{ port }} -j DNAT --to {{ forward.udp_ports[port] }}
-{%   endfor %}
-{% endfor %}
-
-RemainAfterExit=yes
-
-
-[Install]
-WantedBy=multi-user.target
diff --git a/roles/network/wireguard/gateway/templates/systemd.network.j2 b/roles/network/wireguard/gateway/templates/systemd.network.j2
index 6847aa6a..d1dd2139 100644
--- a/roles/network/wireguard/gateway/templates/systemd.network.j2
+++ b/roles/network/wireguard/gateway/templates/systemd.network.j2
@@ -6,7 +6,10 @@ Name={{ item.key }}
 Address={{ addr }}
 {% endfor %}
 {% if 'ip_masq' in item.value and item.value.ip_masq %}
-IPMasquerade=yes
+IPMasquerade=ipv4
+{% endif %}
+{% if 'ip_snat' in item.value %}
+IPForward=ipv4
 {% endif %}
 {% if 'default_gateway' in item.value %}
 
-- 
cgit v1.2.3