summaryrefslogtreecommitdiff
path: root/data/templates/firewall
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2020-05-11 19:32:32 +0200
committerChristian Poessinger <christian@poessinger.com>2020-05-16 15:30:26 +0200
commitfda762065c03d55c05682bf9834354c0edca3e97 (patch)
tree7d58b5a65f40aac1c2df74128e15fbc018ab322f /data/templates/firewall
parent1c6ae6f7e7cf30d9598d2886bb3d2c34685a2c8c (diff)
downloadvyos-1x-fda762065c03d55c05682bf9834354c0edca3e97.tar.gz
vyos-1x-fda762065c03d55c05682bf9834354c0edca3e97.zip
nat: T2198: implement deletion of NAT subsystem
Diffstat (limited to 'data/templates/firewall')
-rw-r--r--data/templates/firewall/nftables-nat.tmpl20
1 files changed, 14 insertions, 6 deletions
diff --git a/data/templates/firewall/nftables-nat.tmpl b/data/templates/firewall/nftables-nat.tmpl
index 343807e79..671cd0920 100644
--- a/data/templates/firewall/nftables-nat.tmpl
+++ b/data/templates/firewall/nftables-nat.tmpl
@@ -8,18 +8,26 @@ flush table nat
{{ rule }}
{% endfor %}
+
+{% if deleted %}
+# NAT if going to be disabled - remove rules and targets from nftables
+delete rule ip raw PREROUTING handle {{ pre_ct_ignore }}
+delete rule ip raw PREROUTING handle {{ pre_ct_conntrack }}
+delete rule ip raw OUTPUT handle {{ out_ct_ignore }}
+delete rule ip raw OUTPUT handle {{ out_ct_conntrack }}
+
+delete chain ip raw NAT_CONNTRACK
+
+{% else %}
+# NAT if enabled - add targets to nftables
add chain ip raw NAT_CONNTRACK
+add rule ip raw NAT_CONNTRACK counter accept
-# insert rule after VYATTA_CT_IGNORE
add rule ip raw PREROUTING position {{ pre_ct_ignore }} counter jump VYATTA_CT_HELPER
-# insert rule after VYATTA_CT_PREROUTING_HOOK
add rule ip raw PREROUTING position {{ pre_ct_conntrack }} counter jump NAT_CONNTRACK
-# insert rule after VYATTA_CT_IGNORE
add rule ip raw OUTPUT position {{ out_ct_ignore }} counter jump VYATTA_CT_HELPER
-# insert rule after VYATTA_CT_PREROUTING_HOOK
add rule ip raw OUTPUT position {{ out_ct_conntrack }} counter jump NAT_CONNTRACK
-
-add rule ip raw NAT_CONNTRACK counter accept
+{% endif %}
{% for r in destination -%}