firewalld: Use nftables instead of iptables

restart service after setting the firewall backend

Fixes #1400
Fixes #1430

Signed-off-by: Joseph Nuthalapati <njoseph@thoughtworks.com>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>

actions/firewall

@@ -22,6 +22,10 @@ Configuration helper for FreedomBox firewall interface.
 import argparse
 import subprocess
 
+import augeas
+
+from plinth import action_utils
+
 
 def parse_arguments():
     """Return parsed command line arguments as dictionary"""
@@ -68,9 +72,29 @@ def parse_arguments():
     return parser.parse_args()
 
 
+def set_firewall_backend(backend):
+    """Set FirewallBackend attribute to the specified string."""
+    conf_file = '/etc/firewalld/firewalld.conf'
+    aug = augeas.Augeas(flags=augeas.Augeas.NO_LOAD +
+                        augeas.Augeas.NO_MODL_AUTOLOAD)
+
+    # lens for shell-script config file
+    aug.set('/augeas/load/Shellvars/lens', 'Shellvars.lns')
+    aug.set('/augeas/load/Shellvars/incl[last() + 1]', conf_file)
+    aug.load()
+
+    aug.set('/files/{}/FirewallBackend'.format(conf_file),
+            '{}'.format(backend))
+    aug.save()
+
+    action_utils.service_enable('firewalld')
+    action_utils.service_restart('firewalld')
+
+
 def subcommand_setup(_):
     """Perform basic firewalld setup."""
     subprocess.call(['firewall-cmd', '--set-default-zone=external'])
+    set_firewall_backend('nftables')
 
     add_service('external', 'http')
     add_service('internal', 'http')

plinth/modules/firewall/__init__.py

@@ -30,11 +30,11 @@ from plinth.utils import format_lazy
 
 from .manifest import backup
 
-version = 1
+version = 2
 
 is_essential = True
 
-managed_packages = ['firewalld']
+managed_packages = ['firewalld', 'nftables']
 
 name = _('Firewall')