luci-mod-status: hide iptables firewall status when nft is present

Do not expose the iptables status page as menu item when nftables is present
on the system. Instead add a warning banner to the nftables status page
directing the user to the hidden iptables status page when we encounter
legacy rules on the system.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>

modules/luci-mod-status/htdocs/luci-static/resources/view/status/nftables.js

@@ -132,7 +132,11 @@ var action_translations = {
 
 return view.extend({
 	load: function() {
-		return L.resolveDefault(fs.exec_direct('/usr/sbin/nft', [ '--json', 'list', 'ruleset' ], 'json'), {});
+		return Promise.all([
+			L.resolveDefault(fs.exec_direct('/usr/sbin/nft', [ '--json', 'list', 'ruleset' ], 'json'), {}),
+			L.resolveDefault(fs.exec_direct('/usr/sbin/iptables-save'), ''),
+			L.resolveDefault(fs.exec_direct('/usr/sbin/ip6tables-save'), '')
+		]);
 	},
 
 	isActionExpression: function(expr) {
@@ -662,15 +666,32 @@ return view.extend({
 		return node;
 	},
 
+	checkLegacyRules: function(ipt4save, ipt6save) {
+		if (ipt4save.match(/\n-A /) || ipt6save.match(/\n-A /)) {
+			ui.addNotification(_('Legacy rules detected'), [
+				E('p', _('There are legacy iptables rules present on the system. Mixing iptables and nftables rules is discouraged and may lead to incomplete traffic filtering.')),
+				E('button', {
+					'class': 'btn cbi-button',
+					'click': function() { location.href = 'nftables/iptables' }
+				}, _('Open iptables rules overview…'))
+			], 'warning');
+		}
+	},
+
 	render: function(data) {
-		var view = E('div');
+		var view = E('div'),
+		    nft = data[0],
+		    ipt = data[1],
+		    ipt6 = data[2];
 
-		if (!Array.isArray(data.nftables))
-			return E('em', _('No nftables ruleset load'));
+		this.checkLegacyRules(ipt, ipt6);
 
-		for (var i = 0; i < data.nftables.length; i++)
-			if (data.nftables[i].hasOwnProperty('table'))
-				view.appendChild(this.renderTable(data.nftables, data.nftables[i].table));
+		if (!Array.isArray(nft.nftables))
+			return E('em', _('No nftables ruleset loaded.'));
+
+		for (var i = 0; i < nft.nftables.length; i++)
+			if (nft.nftables[i].hasOwnProperty('table'))
+				view.appendChild(this.renderTable(nft.nftables, nft.nftables[i].table));
 
 		return view;
 	},

modules/luci-mod-status/root/usr/share/luci/menu.d/luci-mod-status.json

@@ -24,7 +24,7 @@
 	},
 
 	"admin/status/iptables": {
-		"title": "Firewall (iptables)",
+		"title": "Firewall",
 		"order": 3,
 		"action": {
 			"type": "view",
@@ -33,14 +33,14 @@
 		"depends": {
 			"acl": [ "luci-mod-status-firewall" ],
 			"fs": [
-				{ "/usr/sbin/iptables": "executable" },
-				{ "/usr/sbin/ip6tables": "executable" }
+				{ "/usr/sbin/nft": "absent", "/usr/sbin/iptables": "executable" },
+				{ "/usr/sbin/nft": "absent", "/usr/sbin/ip6tables": "executable" }
 			]
 		}
 	},
 
 	"admin/status/nftables": {
-		"title": "Firewall (nftables)",
+		"title": "Firewall",
 		"order": 3,
 		"action": {
 			"type": "view",
@@ -52,6 +52,13 @@
 		}
 	},
 
+	"admin/status/nftables/iptables": {
+		"action": {
+			"type": "view",
+			"path": "status/iptables"
+		}
+	},
+
 	"admin/status/logs": {
 		"title": "System Log",
 		"order": 4,

modules/luci-mod-status/root/usr/share/rpcd/acl.d/luci-mod-status.json

@@ -74,7 +74,9 @@
 				"/usr/sbin/nft --json list ruleset": [ "exec" ],
 				"/usr/sbin/iptables --line-numbers -w -nvxL -t *": [ "exec" ],
 				"/usr/sbin/ip6tables --line-numbers -w -nvxL -t *": [ "exec" ],
-				"/usr/sbin/ip6tables": [ "list" ]
+				"/usr/sbin/ip6tables": [ "list" ],
+				"/usr/sbin/iptables-save": [ "exec" ],
+				"/usr/sbin/ip6tables-save": [ "exec" ]
 			},
 			"ubus": {
 				"file": [ "stat" ]