Infrastructure

iptables is on its way out and was never loved to begin with. nftables is the default firewalling implementation in future, so convert all existing iptables rules to nftables.

firewalld (and similar front-end abstractions) were briefly discussed but it appears TDF's firewalling use-case is not complex enough to really need this. Salt has an nftables state that we can leverage

It's possible that fail2ban will need adjusting to the switch. Also consider combing through to see if any other systems depend specifically on iptables or shorewall.