fix: nft shebang and table names

salt/sys-cacher/files/server/qubes-firewall.d/50-sys-cacher

@@ -1,7 +1,7 @@
-#!/bin/sh
-# vim: ft=sh
+#!/usr/sbin/nft -f
+# vim: ft=nftables
 # SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
-nft 'insert rule ip filter INPUT tcp dport 8082 counter accept'
+add rule ip qubes custom-input tcp dport 8082 accept

salt/sys-cacher/files/server/rc.local.d/50-sys-cacher.rc

@@ -8,4 +8,3 @@ chown -R apt-cacher-ng:apt-cacher-ng /var/log/apt-cacher-ng
 chown -R apt-cacher-ng:apt-cacher-ng /var/cache/apt-cacher-ng
 systemctl unmask qubes-apt-cacher-ng
 systemctl --no-block restart qubes-apt-cacher-ng
-nft 'insert rule ip filter INPUT tcp dport 8082 counter accept'

salt/sys-pihole/files/server/network-hooks.d/flush

@@ -4,6 +4,10 @@
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
-flush chain nat PR-QBS
-insert rule nat PR-QBS iifname "vif*" tcp dport 53 dnat to 127.0.0.1
-insert rule nat PR-QBS iifname "vif*" udp dport 53 dnat to 127.0.0.1
+flush chain ip  qubes dnat-dns
+flush chain ip6 qubes dnat-dns
+
+insert rule ip  qubes dnat-dns iifname "vif*" tcp dport 53 dnat to 127.0.0.1
+insert rule ip  qubes dnat-dns iifname "vif*" udp dport 53 dnat to 127.0.0.1
+insert rule ip6 qubes dnat-dns iifname "vif*" tcp dport 53 dnat to 127.0.0.1
+insert rule ip6 qubes dnat-dns iifname "vif*" udp dport 53 dnat to 127.0.0.1

salt/sys-pihole/files/server/qubes-firewall.d/50-sys-pihole-filter

@@ -7,15 +7,12 @@
 
 set -eu
 
-get_handle(){
-  my_handle=$(nft -a list table "$1" |
-    awk 'BEGIN{c0} /related,established/{c++; if (c==1) print $NF}')
-  echo "$my_handle"
-}
+nft insert rule ip qubes custom-forward tcp dport 53 drop
+nft insert rule ip qubes custom-forward udp dport 53 drop
 
-nft insert rule filter FORWARD tcp dport 53 drop
-nft insert rule filter FORWARD udp dport 53 drop
+## TODO: Is this working?
+handle="$(nft -a list table qubes |
+    awk 'BEGIN{c0} /related,established/{c++; if (c==1) print $NF}')"
 
-handle=$(get_handle filter)
-nft add rule filter INPUT position "$handle" iifname "vif*" tcp dport 53 accept
-nft add rule filter INPUT position "$handle" iifname "vif*" udp dport 53 accept
+nft add rule ip qubes custom-input position "$handle" iifname "vif*" tcp dport 53 accept
+nft add rule ip qubes custom-input position "$handle" iifname "vif*" udp dport 53 accept

salt/sys-pihole/files/server/qubes-firewall.d/70-sys-pihole-nat

@@ -1,10 +1,18 @@
-#!/usr/bin/nft -f
+#!/usr/sbin/nft -f
 
 # SPDX-FileCopyrightText: 2022 - 2023 unman <unman@thirdeyesecurity.org>
 # SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
-flush chain nat PR-QBS
-insert rule nat PR-QBS iifname "vif*" tcp dport 53 dnat to 127.0.0.1
-insert rule nat PR-QBS iifname "vif*" udp dport 53 dnat to 127.0.0.1
+#flush chain nat PR-QBS
+#insert rule nat PR-QBS iifname "vif*" tcp dport 53 dnat to 127.0.0.1
+#insert rule nat PR-QBS iifname "vif*" udp dport 53 dnat to 127.0.0.1
+
+flush chain ip  qubes dnat-dns
+flush chain ip6 qubes dnat-dns
+
+insert rule ip  qubes dnat-dns iifname "vif*" tcp dport 53 dnat to 127.0.0.1
+insert rule ip  qubes dnat-dns iifname "vif*" udp dport 53 dnat to 127.0.0.1
+insert rule ip6 qubes dnat-dns iifname "vif*" tcp dport 53 dnat to 127.0.0.1
+insert rule ip6 qubes dnat-dns iifname "vif*" udp dport 53 dnat to 127.0.0.1

salt/sys-wireguard/files/server/qubes-firewall.d/50-sys-wireguard-pre

@@ -4,8 +4,8 @@
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
-echo "define qubes_ip = $(qubesdb-read /qubes-ip)" \
-  | tee /rw/config/vpn/qubes-ip.nft >/dev/null
+echo "define qube_ip = $(qubesdb-read /qubes-ip)" \
+  | tee /rw/config/vpn/qube-ip.nft >/dev/null
 
 nft -f /rw/config/vpn/dns-hijack.nft
 

salt/sys-wireguard/files/server/qubes-firewall.d/60-sys-wireguard-filter

@@ -1,10 +1,10 @@
-#!/usr/bin/nft -f
+#!/usr/sbin/nft -f
 
 # SPDX-FileCopyrightText: 2022 unman <unman@thirdeyesecurity.org>
 # SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
-insert rule filter FORWARD tcp flags syn tcp option maxseg size set rt mtu
-insert rule filter FORWARD oifname eth0 drop
-insert rule filter FORWARD iifname eth0 drop
+insert rule filter forward tcp flags syn tcp option maxseg size set rt mtu
+insert rule filter forward oifname eth0 drop
+insert rule filter forward iifname eth0 drop

salt/sys-wireguard/files/server/vpn/dns-hijack.nft

@@ -1,4 +1,4 @@
-#!/usr/bin/nft -f
+#!/usr/sbin/nft -f
 # vim: ft=nftables
 
 # SPDX-FileCopyrightText: 2022 unman <unman@thirdeyesecurity.org>
@@ -6,10 +6,10 @@
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
-include /rw/config/vpn/qubes-ip.nft
+include /rw/config/vpn/qube-ip.nft
 
-define vpn_dns1 = 10.8.0.1
-define vpn_dns2 = 10.14.0.1
+define vpn_dns_primary = 10.8.0.1
+define vpn_dns_secondary = 10.14.0.1
 
 chain ip qubes forward '{ policy drop; }'
 insert rule ip qubes custom-forward oifgroup 1 drop
@@ -18,7 +18,7 @@ insert rule ip qubes custom-forward iifgroup 1 drop
 flush chain ip qubes dnat-dns
 flush chain ip6 qubes dnat-dns
 
-add rule ip qubes dnat-dns iifgroup 2 ip daddr $qubes_ip tcp dport 53 counter dnat to $vpn_dns1
-add rule ip qubes dnat-dns iifgroup 2 ip daddr $qubes_ip tcp dport 53 counter dnat to $vpn_dns1
-add rule ip qubes dnat-dns iifgroup 2 ip daddr $qubes_ip udp dport 53 counter dnat to $vpn_dns2
-add rule ip qubes dnat-dns iifgroup 2 ip daddr $qubes_ip udp dport 53 counter dnat to $vpn_dns2
+add rule ip qubes dnat-dns iifgroup 2 ip daddr $qube_ip tcp dport 53 counter dnat to $vpn_dns_primary
+add rule ip qubes dnat-dns iifgroup 2 ip daddr $qube_ip tcp dport 53 counter dnat to $vpn_dns_primary
+add rule ip qubes dnat-dns iifgroup 2 ip daddr $qube_ip udp dport 53 counter dnat to $vpn_dns_secondary
+add rule ip qubes dnat-dns iifgroup 2 ip daddr $qube_ip udp dport 53 counter dnat to $vpn_dns_secondary

salt/sys-wireguard/files/server/vpn/tunnel.nft

@@ -1,4 +1,4 @@
-#!/usr/bin/nft -f
+#!/usr/sbin/nft -f
 # vim: ft=nftables
 
 # SPDX-FileCopyrightText: 2022 unman <unman@thirdeyesecurity.org>