# SaltStack state for managing firewall (firewalld removal, nftables installation and configuration).

# Ensure firewalld is stopped and disabled if it's installed.
firewalld_service_dead:
  service.dead:
    - name: firewalld
    - enable: False
    - onlyif: 'systemctl is-enabled firewalld.service || systemctl is-active firewalld.service'

# Remove the firewalld package if it's installed.
firewalld_pkg_removed:
  pkg.removed:
    - name: firewalld
    - require:
      - service: firewalld_service_dead
    - onlyif: 'rpm -q firewalld || dpkg -s firewalld'

# Install the nftables package.
nftables_pkg:
  pkg.installed:
    - name: nftables

# Manage the nftables configuration file.
nftables_config_file:
  file.managed:
    - name: /etc/nftables.conf
    - contents: |
        #!/usr/sbin/nft -f

        flush ruleset

        table ip filter {
          chain input {
            type filter hook input priority 0; policy drop;

            ct state {established, related} accept

            iif "lo" accept

            tcp dport 22 accept

            tcp dport 10250 accept

            tcp dport 30000-32767 accept

            icmp type echo-request accept

          }

          chain forward {
            type filter hook forward priority 0; policy drop;

            ct state {established, related} accept

          }

          chain output {
            type filter hook output priority 0; policy accept;
          }
        }

        {{ pillar.get("node_nftables_extra_rules", "") }}
    - mode: "0644"
    - require:
      - pkg: nftables_pkg

# Ensure the nftables service is running and enabled on boot.
nftables_service:
  service.running:
    - name: nftables
    - enable: True
    - watch:
      - file: nftables_config_file
    - require:
      - pkg: nftables_pkg