The new package will install with files in /etc/nftfw - because that is the Debian way. So it’s all in one place. Once /etc/nftfw exists, nftfw will automatically switch to /etc/nftfw and /var/lib/nftfw in preference to files under /usr/local/. This has been there since the start.
Everything in /etc/sympl/firewall will be ignored. Sympl rules are written in Ruby and nftfw rules are small shell scripts. Automatic conversion is not easy and I’ve avoided doing that, it’s possibly an AI task. However, nftfw has mirrored all the Sympl rules.
There is however a new python script in the distribution called import_tool which is standalone and will scan for all settings in /etc/sympl/firewall and install them in /etc/nftfw (or /usr/local/etc/nftfw if that exists and the /etc/ file doesn’t). It will ignore the myriad Sympl aliases for rules and will rename files in incoming.d if needed.
It will also flag local rules that need porting into nftfw and will also ignore various rules from sympl that are not needed for nftfw. It tells you what it’s doing and why - you have to tell it to write files. So it’s safe to run, if you want to look at what will happen. Look at the README file, and run the import_tool with no arguments to get a bunch of how to do stuff information. Oh - the help assumes that it’s installing in /etc/nftfw, but it will update things in /usr/local/etc/nftfw. The first thing it says is where it’s found the source and destination.
There is also a new Uninstall.sh script. It can remove a manually installed version. It assumes that all control files are in /usr/local/etc/nftfw. It also asks what to do, so you can retain control files and just move them into /etc and /var/lib before installing the new package. Assuming that the control files are in /usr/local/etc/nftfw and rules, config.ini and nftfw_init.nft match - then it should be a simple change to switch. This will be tested.
The new stuff is actually on GitHub now - version v0.8.1. The new version implies small changes to the APIs. See the Changelog file for what’s altered. It has the changes to config.ini - removing the Owner section and the pointer to /etc/sympl/firewall. There is also a change to nftfw_init.nft - to move the essential ipv6 rules into the template, because I recently found that they were needed there to allow selective blocking of IPv6 services while allowing the local IPv6 essential packets to get through. There are changes to files in rule.d which will need installing, mostly to make them no-ops.
There are slight changes to the Install.sh script that will install updated rules into rule.d - and will create local.d which is the place for local rules. It will also comment on things that need updating by hand. The rule.d directory will now be updated on new releases.
Finally, installing the Debian package is so much easier than the manual installation. I’m putting the final touches to it, and when ready it will be version 1.0.0 or thereabouts of nftfw.