From bf8f30b5f87c62fa81f7fba4212493f0f2bc6375 Mon Sep 17 00:00:00 2001
From: Nicolas Fort <nicolasfort1988@gmail.com>
Date: Mon, 18 Apr 2022 18:31:12 +0000
Subject: NAT: T4365: Fix for nat tables manipulation on netfilter

---
 data/templates/firewall/nftables-nat.tmpl | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

(limited to 'data')

diff --git a/data/templates/firewall/nftables-nat.tmpl b/data/templates/firewall/nftables-nat.tmpl
index 922f3dcb4..7a925b264 100644
--- a/data/templates/firewall/nftables-nat.tmpl
+++ b/data/templates/firewall/nftables-nat.tmpl
@@ -138,8 +138,9 @@
 {%   endif %}
 {% endmacro %}
 
-# Start with clean NAT table
-flush table ip nat
+# Start with clean SNAT and DNAT chains
+flush chain ip nat PREROUTING
+flush chain ip nat POSTROUTING
 {% if helper_functions is vyos_defined('remove') %}
 {# NAT if going to be disabled - remove rules and targets from nftables #}
 {%   set base_command = 'delete rule ip raw' %}
@@ -164,6 +165,7 @@ add rule ip raw NAT_CONNTRACK counter accept
 #
 # Destination NAT rules build up here
 #
+add rule ip nat PREROUTING counter jump VYOS_PRE_DNAT_HOOK
 {% if destination.rule is vyos_defined %}
 {%   for rule, config in destination.rule.items() if config.disable is not vyos_defined %}
 {{ nat_rule(rule, config, 'PREROUTING') }}
@@ -172,6 +174,7 @@ add rule ip raw NAT_CONNTRACK counter accept
 #
 # Source NAT rules build up here
 #
+add rule ip nat POSTROUTING counter jump VYOS_PRE_SNAT_HOOK
 {% if source.rule is vyos_defined %}
 {%   for rule, config in source.rule.items() if config.disable is not vyos_defined %}
 {{ nat_rule(rule, config, 'POSTROUTING') }}
-- 
cgit v1.2.3