Add nftables (+iptables) resource to set rules

[frebib]

nftables would be a more suitable candidate for mgmt because:

• nft monitor provides an event to watch for changes in rules (https://wiki.nftables.org/wiki-nftables/index.php/Monitoring_ruleset_updates)
• nft rule swaps are atomic (https://wiki.nftables.org/wiki-nftables/index.php/Atomic_rule_replacement)
• nft has a backward-compatible iptables-nft layer for iptables users
  • This comes at a small performance penalty though, so devices that have heavy network I/O or a lot of iptables rules may see increased softirq with nft.

iptables has none of these things above, but should probably be provided for compatibility to cover point (3)

[purpleidea]

For iptables/nftables stuff, usually I expect a "holistic view" of firewall control. IOW, entirely managed by the automation tool. As a result, I don't know how valuable it is to monitor for changes unless you're working in a "brownfield" environment. For firewalling specifically, I'm a huge fan of shorewall, which works declaratively, and maps very well to mgmt. I previously wrote a puppet module for this, which is almost exactly what I'd want to do in mgmt. See: https://github.com/purpleidea/puppet-shorewall

Having said all that, it's fantastic that there are native events in nftables, and there might be interesting things we could do there!

[frebib]

Looking over your shorewall module, I think we're on the same lines. The user should be able to:

• define one or more rules, with the complete set of options provided by the backend (i.e. not limited to only "what is implemented")
• define rule ordering, because in most cases that's important
• have rules reloaded as atomically as possible (especially important on say something like a router, which is my aim for this)

I do expect that the user manages the entire firewall configuration with mgmt, although IMO it would be better if that wasn't a working assumption. If a user drops a config file into the directory, we should reload the rules according to what the filesystem defines. I suppose also it would be sensible to prevent external changes by watching for changes in the directory and cleaning it, to prevent iptables/nftables/shorewall/whatever from loading unmanaged config.

It's entirely possible that actually this can be implemented in mcl using just the cli tools and doesn't need any golang at all. I haven't really given it much thought beyond "this is something I'll probably need"

[purpleidea]

we should reload the rules according to ...

Yup, this is doable.

it would be sensible to prevent external changes by watching for changes in the directory and cleaning it

This is possible with the file/dir resource called "purge" https://github.com/purpleidea/mgmt/blob/master/engine/resources/file.go#L166

doesn't need any golang at all.

I expect this is the case.

[purpleidea]

Btw, I had forgotten about this issue, but as I was browsing, I noticed it! I thought you might like to know that I wrote a firewalld resource, which is merged and working great. Feel free to extend it if you're missing some feature.

I'm personally not using firewalld for servers, and I think shorewall is awesome, but for desktop cases or for people who think they want firewalld, have at it =D

As an aside, the Watch code is done in case someone wants to add a new resource for nftables by itself as we use that in firewalld.