redirect-ports: migrate to using NFTables

https://github.com/status-im/infra-misc/issues/301

Signed-off-by: Jakub Sokołowski <jakub@status.im>

ansible/group_vars/nimbus.sepolia.yml

@@ -116,7 +116,7 @@ bootstrap__firewall_nftables: true
 # Open Ports
 open_ports_list:
     nginx:
-      - { port: ['80','443'],  comment: 'Nginx' }
+      - { port: 443,           comment: 'Nginx' }
     smart-metrics:
       - { port: '{{ smart_metrics_listen_port }}', comment: 'SMART Metrics', ipset: 'metrics.hq',    iifname: 'wg0' }
     geth-node:

ansible/host_vars/linux-01.ih-eu-mda1.nimbus.sepolia.yml

@@ -13,9 +13,10 @@ test_api_beacon_node_branch: |-
 
 # WARNING: This will change if number of nodes changes.
 redirect_ports:
-  - src: 80
+  public-beacon-api:
+    src: 80
     dst: '{{ test_api_beacon_node_rest_port }}'
-    comment: 'Public Beacon API ({{ test_api_beacon_node_branch }}-{{ test_api_beacon_node_rest_index }})'
+    comment: 'Public Beacon API ({{ test_api_beacon_node_branch }}-0{{ test_api_beacon_node_rest_index|int - 1 }})'
 
 # Era files hosting
 era_files_domain: 'sepolia.era.nimbus.team'

ansible/roles/redirect-ports/defaults/main.yml

@@ -1,3 +1,4 @@
 ---
+redirect_interface: '{{ ansible_default_ipv4.interface }}'
 redirect_ports: []
 #  - { src: 80, dst: 8080 }

ansible/roles/redirect-ports/handlers/main.yml

@@ -1,3 +1,5 @@
 ---
-- name: Save iptables rules
+- name: Reload nftables
-  shell: iptables-save > /etc/iptables/rules.v4
+  service:
+    name:  'nftables'
+    state: 'reloaded'

ansible/roles/redirect-ports/tasks/main.yml

@@ -1,28 +1,27 @@
 ---
-- name: 'Enable redirected {{ item.dst }} port'
+- name: 'Redirect {{ rule.value.src }} to {{ rule.value.dst }}'
-  iptables:
+  copy:
-    comment: '{{ item.comment | default("Open {{ item.dst }}") }}'
+    dest: '/etc/nft.conf.d/services/{{ rule.key }}.nft'
-    chain: 'SERVICES'
+    content: |
-    jump: 'ACCEPT'
+      #!/usr/sbin/nft -f
-    source: '0.0.0.0/0'
+      # Managed with Ansible: redirect-ports
-    protocol: '{{ item.protocol | default("tcp") }}'
+      tcp dport { {{ rule.value.src | mandatory }}, {{ rule.value.dst | mandatory }} } accept comment "{{ rule.value.comment }}"
-    destination_port: '{{ item.dst | string | mandatory }}'
+  with_dict: '{{ redirect_ports | mandatory }}'
-  with_items: '{{ redirect_ports }}'
+  loop_control:
+    loop_var: 'rule'
+    label: '{{ rule.key }}'
   notify:
-    - Save iptables rules
+    - Reload nftables
 
-- name: 'Redirect {{ item.src }} to {{ item.dst }}'
+- name: 'Redirect {{ rule.value.src }} to {{ rule.value.dst }}'
-  iptables:
+  copy:
-    comment: '{{ item.comment | default("Redirect {{ item.src }} to {{ item.dst }}") }}'
+    dest: '/etc/nft.conf.d/prerouting/{{ rule.key }}.nft'
-    table: 'nat'
+    content: |
-    chain: 'PREROUTING'
+      #!/usr/sbin/nft -f
-    jump: 'REDIRECT'
+      iifname {{ redirect_interface }} tcp dport {{ rule.value.src | mandatory }} redirect to {{ rule.value.dst | mandatory }} comment "{{ rule.value.comment }}"
-    action: insert
+  with_dict: '{{ redirect_ports | mandatory }}'
-    protocol: '{{ item.protocol | default("tcp") }}'
+  loop_control:
-    match: '{{ item.protocol | default("tcp") }}'
+    loop_var: 'rule'
-    destination_port: '{{ item.src | string | mandatory }}'
+    label: '{{ rule.key }}'
-    to_ports: '{{ item.dst | string | mandatory }}'
-    in_interface: '{{ ansible_default_ipv4.interface }}'
-  with_items: '{{ redirect_ports }}'
   notify:
-    - Save iptables rules
+    - Reload nftables