summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2020-05-15 21:47:08 +0200
committerChristian Poessinger <christian@poessinger.com>2020-05-16 18:25:58 +0200
commitf75db67c495c0e9e251bebba46b75e9d085dece0 (patch)
tree95e53c2ea4721a60cacad4fac0bdcd79536bac7b
parent682bfd2c869acbf9f7c6dc681e28ca703c290d7f (diff)
downloadvyos-1x-f75db67c495c0e9e251bebba46b75e9d085dece0.tar.gz
vyos-1x-f75db67c495c0e9e251bebba46b75e9d085dece0.zip
nat: T2198: do not run DNAT rule if rule is disabled
-rw-r--r--data/templates/firewall/nftables-nat.tmpl3
1 files changed, 1 insertions, 2 deletions
diff --git a/data/templates/firewall/nftables-nat.tmpl b/data/templates/firewall/nftables-nat.tmpl
index 01dcec19f..528c4d82a 100644
--- a/data/templates/firewall/nftables-nat.tmpl
+++ b/data/templates/firewall/nftables-nat.tmpl
@@ -23,7 +23,7 @@ flush table nat
{% endif %}
-{% for r in destination -%}
+{% for r in destination if not r.disabled -%}
{% set chain = "PREROUTING" %}
{% set dst_addr = "ip daddr " + r.dest_address if r.dest_address %}
{% set dst_port = "dport { " + r.dest_port +" }" %}
@@ -48,7 +48,6 @@ flush table nat
{% set trns = "return" %}
{% endif %}
-
{% if r.protocol == 'tcp_udp' %}
{# Special handling for protocol tcp_udp which is represented as two individual rules #}
{% if log %}