From 843ef82813fe7fa8291a5732b778a54f08dbbef4 Mon Sep 17 00:00:00 2001
From: lub <git@lubiland.de>
Date: Thu, 26 Mar 2020 16:15:41 +0100
Subject: [PATCH] remove nftables

---
 config/etc/nftables.conf      | 75 -----------------------------------
 post-debootstrap-installer.sh |  4 --
 2 files changed, 79 deletions(-)
 delete mode 100644 config/etc/nftables.conf

diff --git a/config/etc/nftables.conf b/config/etc/nftables.conf
deleted file mode 100644
index b71d218..0000000
--- a/config/etc/nftables.conf
+++ /dev/null
@@ -1,75 +0,0 @@
-#!/usr/sbin/nft -f
-
-flush ruleset
-
-# don't use inet instead of ip&ip6,
-# because Docker doesn't support it, yet
-# see https://maximilianehlers.com/blog/nftables-and-docker/ for more details
-
-table ip filter {
-    chain INPUT {
-        type filter hook input priority 0;
-        policy drop;
-
-
-        # allow already established connections (e.g. initiated by this host)
-        ct state related,established accept
-
-        # allow ICMP
-        ip protocol icmp accept
-
-        # allow anything on localhost
-        iifname "lo" accept
-
-        # allow SSH for remote management
-        tcp dport 22 accept
-
-
-        ## docker
-
-        # cluster management communications
-        tcp dport 2377 accept
-
-        # communication among nodes
-        tcp dport 7946 accept
-        udp dport 7946 accept
-
-        # overlay network traffic
-        udp dport 4789 accept
-        
-        # allow IPSEC connections (encrypted overlay networks)
-        ip protocol esp accept
-    }
-    chain FORWARD {
-        type filter hook forward priority 0;
-        policy drop;
-    }
-    chain OUTPUT {
-        type filter hook output priority 0;
-        policy accept;
-    }
-}
-table ip6 filter {
-    chain INPUT {
-        type filter hook input priority 0;
-        policy drop;
-
-
-        # allow already established connections (e.g. initiated by this host)
-        ct state related,established accept
-
-        # allow ICMPv6
-        ip6 nexthdr icmpv6 accept
-
-        # allow anything on localhost
-        iifname "lo" accept
-    }
-    chain FORWARD {
-        type filter hook forward priority 0;
-        policy drop;
-    }
-    chain OUTPUT {
-        type filter hook output priority 0;
-        policy accept;
-    }
-}
\ No newline at end of file
diff --git a/post-debootstrap-installer.sh b/post-debootstrap-installer.sh
index 1bca307..ae816ea 100755
--- a/post-debootstrap-installer.sh
+++ b/post-debootstrap-installer.sh
@@ -60,15 +60,11 @@ apt-get -y install linux-image-amd64
 ### networking
 
 apt-get -y install iproute2
-# --force-confold because we already provide /etc/nftables.conf
-apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" install nftables
 
 # generate configs for systemd-networkd.service
 # this is template specific
 "/hardware-setup/hardware/${1}/network.sh"
 
-systemctl enable systemd-networkd.service nftables.service
-
 
 ### Docker
 # has to be executed before the users section,