From e0b5b787200e979b365fb490d6c7633cae95ed11 Mon Sep 17 00:00:00 2001
From: markoburcul <marko@status.im>
Date: Tue, 8 Oct 2024 09:39:56 +0200
Subject: [PATCH] logs: Migrate to nftables

Referenced issue: https://github.com/status-im/infra-misc/issues/301

Signed-off-by: markoburcul <marko@status.im>
---
 ansible/group_vars/logs.nimbus.yml | 25 ++++++++++++++-----------
 1 file changed, 14 insertions(+), 11 deletions(-)

diff --git a/ansible/group_vars/logs.nimbus.yml b/ansible/group_vars/logs.nimbus.yml
index f132efe..11dfc28 100644
--- a/ansible/group_vars/logs.nimbus.yml
+++ b/ansible/group_vars/logs.nimbus.yml
@@ -47,17 +47,20 @@ es_jvm_heap_auto: false
 es_jvm_min_heap: 40g
 es_jvm_max_heap: 40g
 
+# Migrated to NFTables from IPTables.
+# https://github.com/status-im/infra-misc/issues/301
+bootstrap__firewall_nftables: true
+
 # Open Ports
 open_ports_default_comment: 'ElasticSearch'
-open_ports_default_chain: 'VPN'
 open_ports_list:
-  - { port: 80,  chain: 'SERVICES' }
-  - { port: 443, chain: 'SERVICES' }
-  - { port: '{{ es_api_port  }}',              ipset: 'dash.hq' }
-  - { port: '{{ es_api_port  }}',              ipset: 'logs.hq' }
-  - { port: '{{ es_api_port }}',               ipset: 'logs.nimbus' }
-  - { port: '{{ es_api_port  }}',              ipset: 'dash.nimbus' }
-  - { port: '{{ es_node_port }}',              ipset: 'logs.nimbus' }
-  - { port: '{{ es_node_port }}',              ipset: 'dash.nimbus' }
-  - { port: '{{ es_exp_cont_port }}',          ipset: 'metrics.hq' }
-  - { port: '{{ smart_metrics_listen_port }}', ipset: 'metrics.hq', comment: 'SMART Metrics' }
+  elasticsearch:
+    - { port: '{{ es_api_port  }}',              ipset: 'metrics.hq',  iifname: 'wg0' }
+    - { port: '{{ es_api_port  }}',              ipset: 'logs.hq',     iifname: 'wg0' }
+    - { port: '{{ es_api_port }}',               ipset: 'logs.nimbus', iifname: 'wg0' }
+    - { port: '{{ es_api_port  }}',              ipset: 'dash.nimbus', iifname: 'wg0' }
+    - { port: '{{ es_node_port }}',              ipset: 'logs.nimbus', iifname: 'wg0' }
+    - { port: '{{ es_node_port }}',              ipset: 'dash.nimbus', iifname: 'wg0' }
+  elasticsearch_metrics:
+    - { port: '{{ es_exp_cont_port }}',          ipset: 'metrics.hq',  iifname: 'wg0' }
+    - { port: '{{ smart_metrics_listen_port }}', ipset: 'metrics.hq',  iifname: 'wg0', comment: 'SMART Metrics' }