Add ocserv role

Create a self-signed CA, set up group configs, add script to allow new
connections through the firewall.

In the base debian role, drop the default nftables forward chain with
drop policy because it clashes with this. If you enable forwarding on
a debian host, make sure to configure the firewall.

roles/ocserv/files/ocserv-script

@@ -0,0 +1,25 @@
+#!/bin/sh
+
+set -x
+
+[ -n "$DEVICE" ] || exit 1
+[ -n "$USERNAME" ] || exit 2
+[ -n "$IP_REMOTE" ] || exit 3
+
+chain="inet ocserv client-${USERNAME}"
+remote_ip="${IP_REMOTE%/*}"
+
+case "${REASON}" in
+connect)
+	nft "add chain ${chain} { type filter hook forward priority filter; policy accept; }"
+	nft "flush chain ${chain}" # in case it already existed and not empty
+	if [ -n "$OCSERV_ROUTES" ] ; then
+		# convert netmask to prefix len, e.g. /255.0.0.0 to /8 and replace spaces with commas
+		routes="$(netmask $OCSERV_ROUTES | paste -s -d ',' | tr -d '[:space:]')"
+		nft "add rule ${chain} iif ${DEVICE} ip saddr ${remote_ip} ip daddr { ${routes} } mark set 0x100"
+	fi
+	;;
+disconnect)
+	nft "delete chain ${chain}"
+	;;
+esac

roles/ocserv/files/ocserv.nft

@@ -0,0 +1,14 @@
+table inet ocserv {
+    chain forward {
+        type filter hook forward priority filter + 10; policy drop;
+        ct state { established, related } accept
+        meta mark 0x100 accept
+    }
+}
+
+table ip ocserv {
+    chain postrouting {
+        type nat hook postrouting priority srcnat; policy drop;
+        meta mark 0x100 masquerade
+    }
+}