RFC Standardise nftables rulesets?

Hey there,

We've been promoting nftables for years now, it works great. But I know that every time I want to try some daemon, I'll have to investigate the protocols the softwares uses, and which ports it relies on.

By example, I've spent this whole morning figuring out how to allow some UPnP packet flows, to make sane-airscan to actually detect, and use my network scanner. Because it is still poorly documented, and I had to dig into how Nftables sets works, and how to use them for this use-case.

I think that's why most of the users just prefer to not use firewalls at all. And that is our bad.

What about adding nftables-ruleset, an empty meta-packages that behave similarly to docs?

Every package maintainer could then add a $pkgname-nftrules subpackages, for the recipe they maintains. It would be installed_if the package and nftables-ruleset are installed.

This way, the end user can just apk add add nftables nftables-ruleset, and be sure most of the daemons they use will behave correctly, with default configurations.

PostmarketOs folks already does something similar here. Can we standardise this approach upstream?