From 38d98ecb0dee4b11fc50e3ffd5688c71993fa458 Mon Sep 17 00:00:00 2001
From: Ben Grande <ben.grande.b@gmail.com>
Date: Wed, 20 Dec 2023 16:49:58 +0100
Subject: [PATCH] fix: nft shebang and table names

---
 .../files/server/qubes-firewall.d/50-sys-cacher |  6 +++---
 .../files/server/rc.local.d/50-sys-cacher.rc    |  1 -
 .../files/server/network-hooks.d/flush          | 10 +++++++---
 .../qubes-firewall.d/50-sys-pihole-filter       | 17 +++++++----------
 .../server/qubes-firewall.d/70-sys-pihole-nat   | 16 ++++++++++++----
 .../qubes-firewall.d/50-sys-wireguard-pre       |  4 ++--
 .../qubes-firewall.d/60-sys-wireguard-filter    |  8 ++++----
 .../files/server/vpn/dns-hijack.nft             | 16 ++++++++--------
 salt/sys-wireguard/files/server/vpn/tunnel.nft  |  2 +-
 9 files changed, 44 insertions(+), 36 deletions(-)

diff --git a/salt/sys-cacher/files/server/qubes-firewall.d/50-sys-cacher b/salt/sys-cacher/files/server/qubes-firewall.d/50-sys-cacher
index ef0e870..f8bcfc7 100755
--- a/salt/sys-cacher/files/server/qubes-firewall.d/50-sys-cacher
+++ b/salt/sys-cacher/files/server/qubes-firewall.d/50-sys-cacher
@@ -1,7 +1,7 @@
-#!/bin/sh
-# vim: ft=sh
+#!/usr/sbin/nft -f
+# vim: ft=nftables
 # SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
-nft 'insert rule ip filter INPUT tcp dport 8082 counter accept'
+add rule ip qubes custom-input tcp dport 8082 accept
diff --git a/salt/sys-cacher/files/server/rc.local.d/50-sys-cacher.rc b/salt/sys-cacher/files/server/rc.local.d/50-sys-cacher.rc
index 076df07..3f784b0 100755
--- a/salt/sys-cacher/files/server/rc.local.d/50-sys-cacher.rc
+++ b/salt/sys-cacher/files/server/rc.local.d/50-sys-cacher.rc
@@ -8,4 +8,3 @@ chown -R apt-cacher-ng:apt-cacher-ng /var/log/apt-cacher-ng
 chown -R apt-cacher-ng:apt-cacher-ng /var/cache/apt-cacher-ng
 systemctl unmask qubes-apt-cacher-ng
 systemctl --no-block restart qubes-apt-cacher-ng
-nft 'insert rule ip filter INPUT tcp dport 8082 counter accept'
diff --git a/salt/sys-pihole/files/server/network-hooks.d/flush b/salt/sys-pihole/files/server/network-hooks.d/flush
index 9e666fd..837fcd1 100644
--- a/salt/sys-pihole/files/server/network-hooks.d/flush
+++ b/salt/sys-pihole/files/server/network-hooks.d/flush
@@ -4,6 +4,10 @@
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
-flush chain nat PR-QBS
-insert rule nat PR-QBS iifname "vif*" tcp dport 53 dnat to 127.0.0.1
-insert rule nat PR-QBS iifname "vif*" udp dport 53 dnat to 127.0.0.1
+flush chain ip  qubes dnat-dns
+flush chain ip6 qubes dnat-dns
+
+insert rule ip  qubes dnat-dns iifname "vif*" tcp dport 53 dnat to 127.0.0.1
+insert rule ip  qubes dnat-dns iifname "vif*" udp dport 53 dnat to 127.0.0.1
+insert rule ip6 qubes dnat-dns iifname "vif*" tcp dport 53 dnat to 127.0.0.1
+insert rule ip6 qubes dnat-dns iifname "vif*" udp dport 53 dnat to 127.0.0.1
diff --git a/salt/sys-pihole/files/server/qubes-firewall.d/50-sys-pihole-filter b/salt/sys-pihole/files/server/qubes-firewall.d/50-sys-pihole-filter
index 3309ef5..faea35f 100644
--- a/salt/sys-pihole/files/server/qubes-firewall.d/50-sys-pihole-filter
+++ b/salt/sys-pihole/files/server/qubes-firewall.d/50-sys-pihole-filter
@@ -7,15 +7,12 @@
 
 set -eu
 
-get_handle(){
-  my_handle=$(nft -a list table "$1" |
-    awk 'BEGIN{c0} /related,established/{c++; if (c==1) print $NF}')
-  echo "$my_handle"
-}
+nft insert rule ip qubes custom-forward tcp dport 53 drop
+nft insert rule ip qubes custom-forward udp dport 53 drop
 
-nft insert rule filter FORWARD tcp dport 53 drop
-nft insert rule filter FORWARD udp dport 53 drop
+## TODO: Is this working?
+handle="$(nft -a list table qubes |
+    awk 'BEGIN{c0} /related,established/{c++; if (c==1) print $NF}')"
 
-handle=$(get_handle filter)
-nft add rule filter INPUT position "$handle" iifname "vif*" tcp dport 53 accept
-nft add rule filter INPUT position "$handle" iifname "vif*" udp dport 53 accept
+nft add rule ip qubes custom-input position "$handle" iifname "vif*" tcp dport 53 accept
+nft add rule ip qubes custom-input position "$handle" iifname "vif*" udp dport 53 accept
diff --git a/salt/sys-pihole/files/server/qubes-firewall.d/70-sys-pihole-nat b/salt/sys-pihole/files/server/qubes-firewall.d/70-sys-pihole-nat
index 0d0a8d4..6a7ba52 100644
--- a/salt/sys-pihole/files/server/qubes-firewall.d/70-sys-pihole-nat
+++ b/salt/sys-pihole/files/server/qubes-firewall.d/70-sys-pihole-nat
@@ -1,10 +1,18 @@
-#!/usr/bin/nft -f
+#!/usr/sbin/nft -f
 
 # SPDX-FileCopyrightText: 2022 - 2023 unman <unman@thirdeyesecurity.org>
 # SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
-flush chain nat PR-QBS
-insert rule nat PR-QBS iifname "vif*" tcp dport 53 dnat to 127.0.0.1
-insert rule nat PR-QBS iifname "vif*" udp dport 53 dnat to 127.0.0.1
+#flush chain nat PR-QBS
+#insert rule nat PR-QBS iifname "vif*" tcp dport 53 dnat to 127.0.0.1
+#insert rule nat PR-QBS iifname "vif*" udp dport 53 dnat to 127.0.0.1
+
+flush chain ip  qubes dnat-dns
+flush chain ip6 qubes dnat-dns
+
+insert rule ip  qubes dnat-dns iifname "vif*" tcp dport 53 dnat to 127.0.0.1
+insert rule ip  qubes dnat-dns iifname "vif*" udp dport 53 dnat to 127.0.0.1
+insert rule ip6 qubes dnat-dns iifname "vif*" tcp dport 53 dnat to 127.0.0.1
+insert rule ip6 qubes dnat-dns iifname "vif*" udp dport 53 dnat to 127.0.0.1
diff --git a/salt/sys-wireguard/files/server/qubes-firewall.d/50-sys-wireguard-pre b/salt/sys-wireguard/files/server/qubes-firewall.d/50-sys-wireguard-pre
index 3f580bf..6177190 100755
--- a/salt/sys-wireguard/files/server/qubes-firewall.d/50-sys-wireguard-pre
+++ b/salt/sys-wireguard/files/server/qubes-firewall.d/50-sys-wireguard-pre
@@ -4,8 +4,8 @@
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
-echo "define qubes_ip = $(qubesdb-read /qubes-ip)" \
-  | tee /rw/config/vpn/qubes-ip.nft >/dev/null
+echo "define qube_ip = $(qubesdb-read /qubes-ip)" \
+  | tee /rw/config/vpn/qube-ip.nft >/dev/null
 
 nft -f /rw/config/vpn/dns-hijack.nft
 
diff --git a/salt/sys-wireguard/files/server/qubes-firewall.d/60-sys-wireguard-filter b/salt/sys-wireguard/files/server/qubes-firewall.d/60-sys-wireguard-filter
index ed11cc3..7b3c422 100755
--- a/salt/sys-wireguard/files/server/qubes-firewall.d/60-sys-wireguard-filter
+++ b/salt/sys-wireguard/files/server/qubes-firewall.d/60-sys-wireguard-filter
@@ -1,10 +1,10 @@
-#!/usr/bin/nft -f
+#!/usr/sbin/nft -f
 
 # SPDX-FileCopyrightText: 2022 unman <unman@thirdeyesecurity.org>
 # SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
-insert rule filter FORWARD tcp flags syn tcp option maxseg size set rt mtu
-insert rule filter FORWARD oifname eth0 drop
-insert rule filter FORWARD iifname eth0 drop
+insert rule filter forward tcp flags syn tcp option maxseg size set rt mtu
+insert rule filter forward oifname eth0 drop
+insert rule filter forward iifname eth0 drop
diff --git a/salt/sys-wireguard/files/server/vpn/dns-hijack.nft b/salt/sys-wireguard/files/server/vpn/dns-hijack.nft
index d918206..5484a76 100755
--- a/salt/sys-wireguard/files/server/vpn/dns-hijack.nft
+++ b/salt/sys-wireguard/files/server/vpn/dns-hijack.nft
@@ -1,4 +1,4 @@
-#!/usr/bin/nft -f
+#!/usr/sbin/nft -f
 # vim: ft=nftables
 
 # SPDX-FileCopyrightText: 2022 unman <unman@thirdeyesecurity.org>
@@ -6,10 +6,10 @@
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
-include /rw/config/vpn/qubes-ip.nft
+include /rw/config/vpn/qube-ip.nft
 
-define vpn_dns1 = 10.8.0.1
-define vpn_dns2 = 10.14.0.1
+define vpn_dns_primary = 10.8.0.1
+define vpn_dns_secondary = 10.14.0.1
 
 chain ip qubes forward '{ policy drop; }'
 insert rule ip qubes custom-forward oifgroup 1 drop
@@ -18,7 +18,7 @@ insert rule ip qubes custom-forward iifgroup 1 drop
 flush chain ip qubes dnat-dns
 flush chain ip6 qubes dnat-dns
 
-add rule ip qubes dnat-dns iifgroup 2 ip daddr $qubes_ip tcp dport 53 counter dnat to $vpn_dns1
-add rule ip qubes dnat-dns iifgroup 2 ip daddr $qubes_ip tcp dport 53 counter dnat to $vpn_dns1
-add rule ip qubes dnat-dns iifgroup 2 ip daddr $qubes_ip udp dport 53 counter dnat to $vpn_dns2
-add rule ip qubes dnat-dns iifgroup 2 ip daddr $qubes_ip udp dport 53 counter dnat to $vpn_dns2
+add rule ip qubes dnat-dns iifgroup 2 ip daddr $qube_ip tcp dport 53 counter dnat to $vpn_dns_primary
+add rule ip qubes dnat-dns iifgroup 2 ip daddr $qube_ip tcp dport 53 counter dnat to $vpn_dns_primary
+add rule ip qubes dnat-dns iifgroup 2 ip daddr $qube_ip udp dport 53 counter dnat to $vpn_dns_secondary
+add rule ip qubes dnat-dns iifgroup 2 ip daddr $qube_ip udp dport 53 counter dnat to $vpn_dns_secondary
diff --git a/salt/sys-wireguard/files/server/vpn/tunnel.nft b/salt/sys-wireguard/files/server/vpn/tunnel.nft
index d07f866..eac98b4 100755
--- a/salt/sys-wireguard/files/server/vpn/tunnel.nft
+++ b/salt/sys-wireguard/files/server/vpn/tunnel.nft
@@ -1,4 +1,4 @@
-#!/usr/bin/nft -f
+#!/usr/sbin/nft -f
 # vim: ft=nftables
 
 # SPDX-FileCopyrightText: 2022 unman <unman@thirdeyesecurity.org>