[RFE] update nftables and ship systemd unit

[jepio]

Current situation

We currently ship nftables-0.9.9 and no systemd unit to automatically apply rules at boot.
Gentoo has nftables-1.0.5

Impact

Harder than necessary to enable nftables during boot.

Ideal future situation

nftables systemd unit part of flatcar image.

Implementation options

Update nftables ebuild in coreos-overlay (while checking which downstream changes are still necessary).

Additional information

[pothos]

Thanks. The systemd unit topic is interesting, I guess we could try to be close to the workflow we have for iptables config files and the Gentoo systemd unit looks like it fits well - if Flatcar follows the Gentoo way we could redirect to the Gentoo docs instead of writing our own docs.

Just for reference, a very different way of configuring nftables can be found on Fedora:

[Unit]
Description=Netfilter Tables
Documentation=man:nft(8)
Wants=network-pre.target
Before=network-pre.target

[Service]
Type=oneshot
ProtectSystem=full
ProtectHome=true
ExecStart=/sbin/nft -f /etc/sysconfig/nftables.conf
ExecReload=/sbin/nft 'flush ruleset; include "/etc/sysconfig/nftables.conf";'
ExecStop=/sbin/nft flush ruleset
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target

The /etc/sysconfig/ file includes /etc/nftables/main.nft and both the service and the inclusion of the main.nft are disabled by default on my machine.