Add support for nftables alongside iptables

[Copilot]

This PR implements nftables support as an alternative firewall backend alongside the existing iptables support, addressing the feature request for nftables compatibility.

Implementation Overview

The implementation adds a firewall abstraction layer that supports both iptables and nftables backends:

• Firewall Interface: Created a Firewall interface in internal/network/firewall.go that abstracts firewall operations
• iptablesFirewall: Wraps the existing iptables implementation
• nftablesFirewall: New implementation using github.com/google/nftables with netlink for direct kernel communication (no nftables binary required)

Configuration Options

Users can now choose their preferred firewall backend via:

• CLI flag: --vpn-firewall-backend (values: auto/iptables/nftables)
• Environment variable: WG_VPN_FIREWALL_BACKEND
• YAML config: vpn.firewallBackend

The default "auto" mode intelligently tries nftables first and gracefully falls back to iptables if nftables is unavailable.

Features

• ✅ Full feature parity: client isolation, allowed IPs filtering, NAT/MASQUERADE
• ✅ Complete backward compatibility with existing iptables-based deployments
• ✅ Auto-detection with smart fallback
• ✅ Netlink-based communication (no external binaries needed)
• ✅ Follows RFC 791 (IPv4) and RFC 2460 (IPv6) specifications
• ✅ Passed security analysis (CodeQL: 0 alerts)

Technical Details

The nftables implementation:

• Creates a dedicated wg-access-server table for both IPv4 and IPv6
• Configures forward chain for traffic filtering
• Configures postrouting chain for NAT/MASQUERADE operations
• Uses github.com/google/nftables library for netlink-based kernel communication
• Supports all existing firewall features without requiring configuration changes

This implementation maintains the maintainability of the codebase while providing modern nftables support for systems that prefer or require it.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Support for nftables</issue_title>
<issue_description>At the moment only iptables are supported and it would be nice if nftables were supported as well.</issue_description>

Comments on the Issue (you are @copilot in this section)

@awlx @DasSkelett maybe we can switch to use netlink for nftables programming that's even possible on machines which don't have nftables binaries.

https://github.com/google/nftables</comment_new>
<comment_new>@DasSkelett
Yeah I tried adding nftables support with that library in the past, but in the end the rule building was too low-level for my liking, see for example:
https://github.com/siderolabs/talos/blob/dea17d72340b1deddea2215b556a4f193d1feb7f/internal/app/machined/pkg/controllers/kubespan/nftables.go#L181-L223

I might give it another triy, but it will definitely decrease maintainability and expandability of this part of the code.</comment_new>

• Fixes Support for nftables #321

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[mergeable]

Thanks for creating a pull request! A maintainer will review your changes shortly. Please don't be discouraged if it takes a while.

[GoliathLabs]

@copilot try again

[Copilot]

@copilot try again

I've now implemented nftables support alongside iptables. The changes include:

• Added github.com/google/nftables dependency for netlink-based firewall management
• Created a Firewall interface with both iptablesFirewall and nftablesFirewall implementations
• Added configuration option --vpn-firewall-backend (auto/iptables/nftables) with auto-detection
• The default "auto" mode tries nftables first, falls back to iptables if unavailable
• Full backward compatibility maintained

The implementation is in commit b09254c. The nftables backend uses netlink for direct kernel communication, so it doesn't require the nftables binary to be installed.