Add ENABLE_INTERFACES support to nftables container

Allow nftables container to automatically bring up and down network
interfaces via the ENABLE_INTERFACES environment variable. This enables
tighter integration with systems like Infix OS where interfaces can be
disabled in the configuration but need to be brought up when the
firewall container starts.

Changes:
- rc.local: Bring up interfaces listed in ENABLE_INTERFACES on startup
- rc.shutdown: Bring down interfaces on container shutdown
- README: Document the new environment variable with usage example

Usage:
  docker run --network=host -e ENABLE_INTERFACES="e1 e24" \
    ghcr.io/kernelkit/curios-nftables:latest

Fixes #20

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: Joachim Wiberg <troglobit@gmail.com>

Author: troglobit

README.md

@@ -83,9 +83,26 @@ netfilter management with zero-downtime rule updates. Features:
 - **Live configuration** - Built-in vi editor for rule modifications
 - **Mount-friendly** - Use host-based config files via volumes
 - **Sample configurations** included for end-devices and routers
+- **Interface management** - Automatically bring up/down interfaces via `ENABLE_INTERFACES`
 
 Ideal for edge devices, containers-as-firewalls, and advanced network policies.
 
+**Environment variables:**
+
+- `ENABLE_INTERFACES` - Space-separated list of network interfaces
+  (e.g., `"e1 e24"`) to bring up on startup, after the firewall rules
+  have been applied, and take down on shutdown before disabling the
+  firewall
+
+**Example usage:**
+
+```bash
+# Start with automatic interface management
+docker run --network=host -e ENABLE_INTERFACES="e1 e24" \
+  -v /path/to/nftables.conf:/etc/nftables.conf:ro \
+  ghcr.io/kernelkit/curios-nftables:latest
+```
+
 See this blog post on how to use this container with Infix:
 
 - [Infix w/ WAN+LAN firewall setup](https://kernelkit.org/posts/firewall-container/)

board/nftables/rootfs/etc/rc.local

@@ -23,6 +23,18 @@ else
     msg="STANDBY -- No active firewall!"
 fi
 
+# Enable interfaces if specified via environment variable
+if [ -n "$ENABLE_INTERFACES" ]; then
+    echo "> Enabling interfaces: $ENABLE_INTERFACES"
+    for iface in $ENABLE_INTERFACES; do
+        if ip link set dev "$iface" up 2>/dev/null; then
+            echo ">   Interface $iface brought up"
+        else
+            echo ">   WARNING: Failed to bring up interface $iface"
+        fi
+    done
+fi
+
 echo "> SYSTEM MONITORING $msg"
 
 exit 0

board/nftables/rootfs/etc/rc.shutdown

@@ -5,6 +5,18 @@ CONF=/etc/nftables.conf
 
 echo "> SIGNAL RECEIVED"
 
+# Disable interfaces if they were enabled via environment variable
+if [ -n "$ENABLE_INTERFACES" ]; then
+    echo "> Disabling interfaces: $ENABLE_INTERFACES"
+    for iface in $ENABLE_INTERFACES; do
+        if ip link set dev "$iface" down 2>/dev/null; then
+            echo ">   Interface $iface brought down"
+        else
+            echo ">   WARNING: Failed to bring down interface $iface"
+        fi
+    done
+fi
+
 if [ -f "$CONF" ]; then
     echo "> Flushing nftables ruleset..."
     nft flush ruleset