default debian config not overwritten -> noflush_tables not working

[dmaes]

How to reproduce (e.g Puppet code you use)

Use this module on Debian, optionally set the noflush_tables parameter

What are you seeing

Despite setting noflust_tables, all my tables where flushed when doing a systemctl reload nftables. Upon further investigation, I saw that, on Debian, the default config path /etc/nftables.confis used in the systemd service overwrite, and that file_line is used to add include "/etc/nftables/puppet.nft" to include all the rules from the puppet-managed files.

The problem is, Debian has the following config by default in /etc/nftables.conf:

#!/usr/sbin/nft -f

flush ruleset

table inet filter {
    chain input {
        type filter hook input priority 0;
    }
    chain forward {
        type filter hook forward priority 0;
    }
    chain output {
        type filter hook output priority 0;
    }
}

This does not get cleaned up, only the include ... line is added at the end, meaning you will always flush all tables and create a default inet filter table and chains, before you get to the puppet-managed part.

I think either this file needs to be cleaned up by the module, or a new, empty, file needs to be used. Else we get unexpected results, like noflush_tables not working, and possibly other things if Debian maintainers decide to add other defaults to a file that we use, but don't fully manage...

[traylenator]

New parameter added to allow clobber of default rules.