From be853cc9f6a0e9a4631561dbeee0d2df2ed96044 Mon Sep 17 00:00:00 2001
From: Daniel Flanagan <daniel@lyte.dev>
Date: Sat, 10 Jul 2021 14:46:26 -0500
Subject: [PATCH] FIREWALL

---
 dnsmasq.conf              |  2 ++
 firewall-edit.sh          | 22 ++++++++++++++++------
 nftables => nftables.conf |  9 +++++++--
 3 files changed, 25 insertions(+), 8 deletions(-)
 rename nftables => nftables.conf (91%)

diff --git a/dnsmasq.conf b/dnsmasq.conf
index 333d568..315786e 100644
--- a/dnsmasq.conf
+++ b/dnsmasq.conf
@@ -224,6 +224,8 @@ dhcp-range=10.0.0.5,10.0.0.250,255.255.255.0,10m
 # need to be on the same network. The order of the parameters in these
 # do not matter, it's permissible to give name, address and MAC in any
 # order.
+dhcp-host=f0:2f:74:c9:9b:61,dragon,10.0.0.5,12h
+# dhcp-host=????,faceless,10.0.0.10,12h
 
 # Always allocate the host with Ethernet address 11:22:33:44:55:66
 # The IP address 192.168.0.60
diff --git a/firewall-edit.sh b/firewall-edit.sh
index 5621f2b..a13a2af 100755
--- a/firewall-edit.sh
+++ b/firewall-edit.sh
@@ -2,9 +2,19 @@
 
 # TODO: diff with existing before just overwriting what's here in git?
 
-f="$(dirname "$(realpath "$0")")/nftables"
-sudo rm "$f"
-printf "flush ruleset\n\n" > "$f"
-sudo nft -s list ruleset >> "$f"
-sudo nvim "$f" && sudo nft -f "$f"
-# TODO: should this be sync'd to /etc/nftables.conf
+my_config="$(dirname "$(realpath "$0")")/nftables.conf"
+
+# we don't care about existing rules - just use ours, thanks
+# sudo nft -s list ruleset >> "$f"
+
+sudo nvim "$my_config"
+cat "$my_config"
+echo "Do you want to load this config? [y/N]"
+read -r l
+[[ $l == "y" ]] && {
+	printf "flush ruleset\n\n" > "/tmp/nftables.txt"
+	cat "$my_config" >> "/tmp/nftables.conf"
+	sudo nft -f "/tmp/nftables.conf"
+	sudo cp "$my_config" "/etc/nftables.conf"
+	echo "Done loading!"
+}
diff --git a/nftables b/nftables.conf
similarity index 91%
rename from nftables
rename to nftables.conf
index ddffafc..54a96d6 100644
--- a/nftables
+++ b/nftables.conf
@@ -1,5 +1,3 @@
-flush ruleset
-
 table inet filter {
 	chain input {
 		type filter hook input priority filter; policy accept;
@@ -23,6 +21,11 @@ table inet filter {
 		type filter hook output priority filter; policy accept;
 	}
 }
+
+# the following two blocks were generated by restarting systemd-networkd and
+# dumping nftables
+
+# nat ipv4 for lan
 table ip io.systemd.nat {
 	set masq_saddr {
 		type ipv4_addr
@@ -49,6 +52,8 @@ table ip io.systemd.nat {
 		ip saddr @masq_saddr masquerade
 	}
 }
+
+# nat ipv6 for lan (probably unnecessary?)
 table ip6 io.systemd.nat {
 	set masq_saddr {
 		type ipv6_addr