From 9dab86bd5669c9747fdf9d1923107db382db7942 Mon Sep 17 00:00:00 2001
From: Siddarth Kumar <siddarthkay@gmail.com>
Date: Tue, 3 Sep 2024 15:43:41 +0530
Subject: [PATCH] all: migrate iptables to nftables

- set `bootstrap__firewall_nftables` var to true
- adjust `open_ports_list` to match the structure needed to run firewall role

changes applied to all hosts in  test and sandbox environment of infra-waku

related to : https://github.com/status-im/infra-misc/issues/301
---
 ansible/group_vars/all.yml     |  3 +++
 ansible/group_vars/node-db.yml |  5 ++---
 ansible/group_vars/node.yml    | 15 +++++++--------
 3 files changed, 12 insertions(+), 11 deletions(-)

diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml
index 2e31688..04bd18c 100644
--- a/ansible/group_vars/all.yml
+++ b/ansible/group_vars/all.yml
@@ -1,6 +1,9 @@
 ---
 # Root password
 bootstrap__root_pass: '{{lookup("bitwarden", "root-pass")}}'
+# Migrated to NFTables from IPTables.
+# https://github.com/status-im/infra-misc/issues/301
+bootstrap__firewall_nftables: true
 # Consul
 bootstrap__consul_encryption_key:   '{{lookup("bitwarden", "consul/cluster",    field="encryption-key")}}'
 bootstarp__consul_agent_acl_token:  '{{lookup("bitwarden", "consul/acl-tokens", field="agent-default")}}'
diff --git a/ansible/group_vars/node-db.yml b/ansible/group_vars/node-db.yml
index a8c602f..6f55e6f 100644
--- a/ansible/group_vars/node-db.yml
+++ b/ansible/group_vars/node-db.yml
@@ -19,7 +19,6 @@ postgres_ha_backup: false
 
 # Open PostgreSQL Port
 open_ports_default_comment: '{{ postgres_ha_service_name }}'
-open_ports_default_chain: 'SERVICES'
-open_ports_default_protocol: 'tcp'
 open_ports_list:
-  - { port: '{{ postgres_ha_cont_port }}', ipset: '{{ env }}.{{ stage }}' }
+   postgres: 
+    - { port: '{{ postgres_ha_cont_port }}', ipset: '{{ env }}.{{ stage }}', iifname: 'wg0' }
diff --git a/ansible/group_vars/node.yml b/ansible/group_vars/node.yml
index 37eb7aa..bd39609 100644
--- a/ansible/group_vars/node.yml
+++ b/ansible/group_vars/node.yml
@@ -88,15 +88,14 @@ conn_limit_limit: 20
 conn_limit_dport: '{{ nim_waku_websock_port }}'
 
 # Open LibP2P Ports
-open_ports_default_comment: '{{ nim_waku_cont_name }}'
-open_ports_default_chain: 'SERVICES'
-open_ports_default_protocol: 'tcp'
 open_ports_list:
-  - { port: '80', comment: 'Nginx and Certbot' }
-  - { port: '{{ nim_waku_p2p_tcp_port }}' }
-  - { port: '{{ nim_waku_disc_v5_port }}', protocol: 'udp' }
-  - { port: '{{ nim_waku_websock_port }}' }
-  - { port: '{{ nim_waku_metrics_port }}', chain: 'VPN', ipset: 'metrics.hq' }
+  nginx:
+    - { port: '80', comment: 'Nginx and Certbot' }
+  nim-waku:  
+    - { port: '{{ nim_waku_p2p_tcp_port }}', comment: 'libp2p' }
+    - { port: '{{ nim_waku_disc_v5_port }}', comment: 'discovery v5', protocol: 'udp' }
+    - { port: '{{ nim_waku_websock_port }}', comment: 'websocket' }
+    - { port: '{{ nim_waku_metrics_port }}', comment: 'metrics', ipset: 'metrics.hq', iifname: 'wg0' }
 
 # Public Config file access
 nginx_sites: