default firewall zones in gateway profile

- zones are an attrset of name -> [interface-service]

- the firewall will create empty "ifname" sets for each zone name
 in each address family (ip, ip6)

- then watch the interface services, and add the "ifname" outputs
to the corresponding sets when they appear

This commit only adds the empty sets

THOUGHTS.txt

@@ -7010,5 +7010,13 @@ which interface services are in which zones
 we'd have to ensure that the interface services did not end up as
 dependencies of the firewall
 
-then the firewall could watch each interface service for the ifname
-output and add it to the right zone
+then the firewall could
+
+- create the sets
+- watch each interface service for the ifname output and add it to the right zone
+
+Sun Feb  9 21:33:57 GMT 2025
+
+nft update set @lan
+
+echo 'flush set table-ip lan;  add element table-ip lan { eth0,lo }' | nft -f -

examples/rotuer.nix

@@ -69,10 +69,6 @@ in rec {
     firewall = {
       enable = true;
       rules = secrets.firewallRules;
-      zones = {
-        lan = [ config.services.int ];
-        wan = [ config.services.wan  ] ;
-      };
     };
     wireless.networks = {
       # EDIT: if you have more or fewer wireless radios, here is where

modules/firewall/ifwatch.fnl

@@ -48,8 +48,7 @@
       (..
        "flush set ip table-ip " zone "; \n"
        "flush set ip6 table-ip6 " zone "; \n"
-       )
-
+       )))
 
 (fn run []
   (while true

modules/profiles/gateway.nix

@@ -50,6 +50,10 @@ in {
       rules = mkOption { type = types.attrsOf types.attrs; };
       zones = mkOption {
         type = types.attrsOf (types.listOf  liminix.lib.types.service);
+        default = {
+          lan = [ config.services.int ];
+          wan = [ config.services.wan ];
+        };
       };
     };