Configure firewall rules using nftables

Dockerfile

@@ -1,19 +1,20 @@
 FROM python:3.11-bookworm
 
-RUN apt-get update && apt-get install -y wget git libxslt-dev iptables kmod swig
+RUN apt-get update && apt-get install -y wget git libxslt-dev iptables kmod swig nftables python3-nftables
 
 RUN mkdir /usr/src/admin
 WORKDIR /usr/src/admin
 
 COPY requirements.txt ./
 COPY requirements-dev.txt ./
 
-RUN pip3 install --no-cache-dir -r requirements.txt
+RUN pip3 install -r requirements.txt
 
 COPY . .
 
 RUN update-alternatives --set iptables /usr/sbin/iptables-legacy && \
     update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy 
 
-ENV PYTHONPATH="/usr/src/admin"
+ENV PYTHONPATH="/usr/src/admin":/usr/lib/python3/dist-packages/
+
 ENV COLUMNS=80

core/schains/firewall/__init__.py

@@ -19,6 +19,7 @@
 
 from .firewall_manager import SChainFirewallManager  # noqa
 from .iptables import IptablesController  # noqa
+from .nftables import NFTablesController  # noqa
 from .rule_controller import SChainRuleController  # noqa
 from .types import IRuleController  # noqa
 from .utils import get_default_rule_controller  # noqa

core/schains/firewall/firewall_manager.py

@@ -22,6 +22,7 @@
 from typing import Iterable, Optional
 
 from core.schains.firewall.iptables import IptablesController
+from core.schains.firewall.nftables import NFTablesController
 from core.schains.firewall.types import (
     IFirewallManager,
     IHostFirewallController,
@@ -70,6 +71,11 @@
         rules_to_remove = actual_rules - expected_rules
         self.add_rules(rules_to_add)
         self.remove_rules(rules_to_remove)
+        self.save_rules()
+
+    def save_rules(self) -> None:
+        """ Saves rules into persistent storage """
+        self.host_controller.save_rules()
 
     def add_rules(self, rules: Iterable[SChainRule]) -> None:
         logger.debug('Adding rules %s', rules)
@@ -88,3 +94,11 @@
 class IptablesSChainFirewallManager(SChainFirewallManager):
     def create_host_controller(self) -> IptablesController:
         return IptablesController()
+
+
+class NFTSchainFirewallManager(SChainFirewallManager):
+    def create_host_controller(self) -> NFTablesController:
+        nc_controller = NFTablesController(chain=self.name)
+        nc_controller.create_table()
+        nc_controller.create_chain(self.first_port, self.last_port)
+        return nc_controller

core/schains/firewall/iptables.py

@@ -139,3 +139,6 @@
     @classmethod
     def to_ip_network(cls, ip: str) -> str:
         return str(ipaddress.ip_network(ip))
+
+    def save_rules(self):
+        raise NotImplementedError('save_rules is not implemented for iptables host controller')