revamp deez nuts

base/files/20-nftables.conf

@@ -1,5 +1,5 @@
 # Log kernel generated iptables messages to file
-:msg,contains,"IPv=" /var/log/iptables.log
+:msg,contains,"nft-blocked" /var/log/nftables.log
 
 # Don't log kernel-generated iptables log messages
 # anywhere but the file above.

base/repositories.sls

@@ -3,6 +3,14 @@
 {% set codename = grains["oscodename"] -%}
 {% set osarch = grains["osarch"] %}
 
+{% if codename != "stretch" %}
+/etc/apt/sources.list.d/debian-stretch-backports.list:
+  file.absent: {}
+
+/etc/apt/sources.list.d/debian-stretch-backports-sloppy.list:
+  file.absent: {}
+{% endif %}
+
 debian {{ codename }} backports:
   pkgrepo.managed:
   - humanname: debian-{{ codename }}-backports

base/syslog.sls

@@ -4,8 +4,11 @@
   file.absent
 
 /etc/rsyslog.d/20-iptables.conf:
+  file.absent
+
+/etc/rsyslog.d/20-nftables.conf:
   file.managed:
-  - source: "salt://base/files/20-iptables.conf"
+  - source: "salt://base/files/20-nftables.conf"
   - user: root
   - group: root
   - mode: 0740
@@ -15,4 +18,5 @@ rsyslog:
   - restart: true
   - watch:
     - file: /etc/rsyslog.d/20-ufw.conf
-    - file: /etc/rsyslog.d/20-iptables.conf
+    - file: /etc/rsyslog.d/20-iptables.conf
+    - file: /etc/rsyslog.d/20-nftables.conf

fwrules/init.sls

@@ -61,6 +61,18 @@ nftables firewall table:
   - require:
     - file: /etc/firewall/firewall.nft
 
+service.systemctl_reload:
+  module.run:
+  - service.systemctl_reload:
+  - onchanges:
+    - file: /lib/systemd/system/fwrules.service
+
+fwrules:
+  service.running:
+  - enable: true
+  - watch:
+    - file: /lib/systemd/system/fwrules.service
+
 {% if ("nft"|which) is not none %}
 {{ "nft"|which }} -f /etc/firewall/firewall.nft:
   cron.absent:

fwrules/templates/firewall.nft.j2

@@ -55,7 +55,7 @@ table inet firewall {
         {%- endif %}
 
         # Don't insert any rules after this log.
-        log flags all counter drop
+        log prefix "nft-blocked" flags all counter drop
     }
 
     chain output {