* Note: Add lightweight quick controls for allowed ports, services, and port forwards, with service autocomplete, ACLs, and structured NAT redirect/DNAT editing.
* Note: Resolve nftables profile service ports from supported Webmin module configs and /etc/services, with safe fallbacks and SSH custom-port regression coverage.
https://github.com/webmin/webmin/issues/2706
* Note: Add a reusable save_profile_ruleset() API for other modules (like Virtualmin Config), and.
Example:
foreign_require("nftables");
nftables::save_profile_ruleset('profile_virtualmin', 'virtualmin', '*');
* Note: Create profile rulesets using named inet_service sets for selected service ports instead of emitting one accept rule per port. Keep scoped rules such as DHCPv6 and mDNS explicit, split TCP and UDP port sets to avoid widening access, and normalize interval set elements so ranges are valid and non-overlapping.
* Note: Track saved nftables configuration changes with Apache-style config/apply timestamp flags, expose the standard restart.cgi header action for themes, and use it as the single apply endpoint. The button expands to “Apply Changes” when saved rules need applying, while the existing Apply Configuration action now routes through restart.cgi and clears the pending state after a successful apply.
* Note: When a table is deleted from the nftables module, also remove that same table from the active kernel ruleset. The delete path now updates the saved Webmin configuration first, then runs a targeted nft delete table for the selected table only, after checking that the active table is not externally managed.
* Note: Prevent incompatible nftables sets from being used in rule fields. The rule editor now only offers address sets for address matches and port/service sets for port matches, while save and apply paths validate existing set references before writing or loading rules. This avoids nft datatype mismatch errors such as using inet_proto sets with tcp dport.
Rework the nftables module so Webmin manages its saved nftables configuration as the source of truth instead of directly editing the live ruleset. Add an active ruleset view for inspecting live tables and importing copies into Webmin-managed config if needed, track managed and imported tables with metadata, and prevent externally managed tables from being overwritten during apply.
Co-authored-by: Copilot <copilot@github.com>
Fix nftables direct-mode operations so create, edit, delete, and move actions apply only the selected table instead of rewriting or applying the full ruleset. This avoids copying firewalld-owned rules, or any other externally managed rules, into Webmin’s save file and prevents operations from failing against externally managed tables. Also remove previously added unsafe full-ruleset flush action and keep Apply Configuration out of direct mode (will be further reworked).
