From fda762065c03d55c05682bf9834354c0edca3e97 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Mon, 11 May 2020 19:32:32 +0200 Subject: nat: T2198: implement deletion of NAT subsystem --- data/templates/firewall/nftables-nat.tmpl | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) (limited to 'data/templates/firewall') diff --git a/data/templates/firewall/nftables-nat.tmpl b/data/templates/firewall/nftables-nat.tmpl index 343807e79..671cd0920 100644 --- a/data/templates/firewall/nftables-nat.tmpl +++ b/data/templates/firewall/nftables-nat.tmpl @@ -8,18 +8,26 @@ flush table nat {{ rule }} {% endfor %} + +{% if deleted %} +# NAT if going to be disabled - remove rules and targets from nftables +delete rule ip raw PREROUTING handle {{ pre_ct_ignore }} +delete rule ip raw PREROUTING handle {{ pre_ct_conntrack }} +delete rule ip raw OUTPUT handle {{ out_ct_ignore }} +delete rule ip raw OUTPUT handle {{ out_ct_conntrack }} + +delete chain ip raw NAT_CONNTRACK + +{% else %} +# NAT if enabled - add targets to nftables add chain ip raw NAT_CONNTRACK +add rule ip raw NAT_CONNTRACK counter accept -# insert rule after VYATTA_CT_IGNORE add rule ip raw PREROUTING position {{ pre_ct_ignore }} counter jump VYATTA_CT_HELPER -# insert rule after VYATTA_CT_PREROUTING_HOOK add rule ip raw PREROUTING position {{ pre_ct_conntrack }} counter jump NAT_CONNTRACK -# insert rule after VYATTA_CT_IGNORE add rule ip raw OUTPUT position {{ out_ct_ignore }} counter jump VYATTA_CT_HELPER -# insert rule after VYATTA_CT_PREROUTING_HOOK add rule ip raw OUTPUT position {{ out_ct_conntrack }} counter jump NAT_CONNTRACK - -add rule ip raw NAT_CONNTRACK counter accept +{% endif %} {% for r in destination -%} -- cgit v1.2.3