firewall: replace iptables with nftables (#2505)

* first adjustments to use Fail2Ban with nftables

* replace `iptables` -> `nftables` and adjust tests

nftables lists IPs a bit differently , so the order was adjusted for the
tests to be more flexible.

* line correction in mailserver.env

* change from `.conf` -> `.local` and remove redundant config

* revert HEREDOC to `echo`

Co-authored-by: Casper <casperklein@users.noreply.github.com>

test/mail_fail2ban.bats

@@ -64,14 +64,14 @@ function teardown_file() {
     run docker exec mail_fail2ban /bin/sh -c "fail2ban-client get ${FILTER} maxretry"
     assert_output 2
 
-    run docker exec mail_fail2ban /bin/sh -c "fail2ban-client -d | grep -F \"['set', 'dovecot', 'addaction', 'iptables-multiport']\""
-    assert_output "['set', 'dovecot', 'addaction', 'iptables-multiport']"
+    run docker exec mail_fail2ban /bin/sh -c "fail2ban-client -d | grep -F \"['set', 'dovecot', 'addaction', 'nftables-multiport']\""
+    assert_output "['set', 'dovecot', 'addaction', 'nftables-multiport']"
 
-    run docker exec mail_fail2ban /bin/sh -c "fail2ban-client -d | grep -F \"['set', 'postfix', 'addaction', 'iptables-multiport']\""
-    assert_output "['set', 'postfix', 'addaction', 'iptables-multiport']"
+    run docker exec mail_fail2ban /bin/sh -c "fail2ban-client -d | grep -F \"['set', 'postfix', 'addaction', 'nftables-multiport']\""
+    assert_output "['set', 'postfix', 'addaction', 'nftables-multiport']"
 
-    run docker exec mail_fail2ban /bin/sh -c "fail2ban-client -d | grep -F \"['set', 'postfix-sasl', 'addaction', 'iptables-multiport']\""
-    assert_output "['set', 'postfix-sasl', 'addaction', 'iptables-multiport']"
+    run docker exec mail_fail2ban /bin/sh -c "fail2ban-client -d | grep -F \"['set', 'postfix-sasl', 'addaction', 'nftables-multiport']\""
+    assert_output "['set', 'postfix-sasl', 'addaction', 'nftables-multiport']"
   done
 }
 
@@ -96,9 +96,9 @@ function teardown_file() {
   run docker exec mail_fail2ban /bin/sh -c "fail2ban-client status postfix-sasl | grep '${FAIL_AUTH_MAILER_IP}'"
   assert_success
 
-  # Checking that FAIL_AUTH_MAILER_IP is banned by iptables and blocktype set to DROP
-  run docker exec mail_fail2ban /bin/sh -c "iptables -n -L f2b-postfix-sasl"
-  assert_output --regexp "DROP.+all.+${FAIL_AUTH_MAILER_IP}"
+  # Checking that FAIL_AUTH_MAILER_IP is banned by nftables and blocktype set to DROP
+  run docker exec mail_fail2ban /bin/sh -c "nft list set inet f2b-table addr-set-postfix-sasl 2>/dev/null"
+  assert_output --regexp "${FAIL_AUTH_MAILER_IP}"
 }
 
 @test "checking fail2ban: unban ip works" {
@@ -111,9 +111,9 @@ function teardown_file() {
   run docker exec mail_fail2ban /bin/sh -c "fail2ban-client status postfix-sasl | grep 'IP list:.*${FAIL_AUTH_MAILER_IP}'"
   assert_failure
 
-  # Checking that FAIL_AUTH_MAILER_IP is unbanned by iptables
-  run docker exec mail_fail2ban /bin/sh -c "iptables -L f2b-postfix-sasl -n | grep REJECT | grep '${FAIL_AUTH_MAILER_IP}'"
-  assert_failure
+  # Checking that FAIL_AUTH_MAILER_IP is unbanned by nftables
+  run docker exec mail_fail2ban /bin/sh -c "nft list set inet f2b-table addr-set-postfix-sasl 2>/dev/null"
+  refute_output "${FAIL_AUTH_MAILER_IP}"
 }
 
 #
@@ -128,13 +128,15 @@ function teardown_file() {
   sleep 10
 
   run ./setup.sh -c mail_fail2ban debug fail2ban
-  assert_output --regexp "^Banned in dovecot: 192.0.66.5, 192.0.66.4.*"
+  assert_output --partial 'Banned in dovecot:'
+  assert_output --partial '192.0.66.5'
+  assert_output --partial '192.0.66.4'
 
   run ./setup.sh -c mail_fail2ban debug fail2ban unban 192.0.66.4
   assert_output --partial "Unbanned IP from dovecot: 1"
 
   run ./setup.sh -c mail_fail2ban debug fail2ban
-  assert_output --regexp "^Banned in dovecot: 192.0.66.5.*"
+  assert_output --regexp "^Banned in dovecot:.*192.0.66.5.*"
 
   run ./setup.sh -c mail_fail2ban debug fail2ban unban 192.0.66.5
   assert_output --partial "Unbanned IP from dovecot: 1"