diff options
author | Christian Poessinger <christian@poessinger.com> | 2020-05-11 19:32:32 +0200 |
---|---|---|
committer | Christian Poessinger <christian@poessinger.com> | 2020-05-16 15:30:26 +0200 |
commit | fda762065c03d55c05682bf9834354c0edca3e97 (patch) | |
tree | 7d58b5a65f40aac1c2df74128e15fbc018ab322f /data/templates/firewall | |
parent | 1c6ae6f7e7cf30d9598d2886bb3d2c34685a2c8c (diff) | |
download | vyos-1x-fda762065c03d55c05682bf9834354c0edca3e97.tar.gz vyos-1x-fda762065c03d55c05682bf9834354c0edca3e97.zip |
nat: T2198: implement deletion of NAT subsystem
Diffstat (limited to 'data/templates/firewall')
-rw-r--r-- | data/templates/firewall/nftables-nat.tmpl | 20 |
1 files changed, 14 insertions, 6 deletions
diff --git a/data/templates/firewall/nftables-nat.tmpl b/data/templates/firewall/nftables-nat.tmpl index 343807e79..671cd0920 100644 --- a/data/templates/firewall/nftables-nat.tmpl +++ b/data/templates/firewall/nftables-nat.tmpl @@ -8,18 +8,26 @@ flush table nat {{ rule }}
{% endfor %}
+
+{% if deleted %}
+# NAT if going to be disabled - remove rules and targets from nftables
+delete rule ip raw PREROUTING handle {{ pre_ct_ignore }}
+delete rule ip raw PREROUTING handle {{ pre_ct_conntrack }}
+delete rule ip raw OUTPUT handle {{ out_ct_ignore }}
+delete rule ip raw OUTPUT handle {{ out_ct_conntrack }}
+
+delete chain ip raw NAT_CONNTRACK
+
+{% else %}
+# NAT if enabled - add targets to nftables
add chain ip raw NAT_CONNTRACK
+add rule ip raw NAT_CONNTRACK counter accept
-# insert rule after VYATTA_CT_IGNORE
add rule ip raw PREROUTING position {{ pre_ct_ignore }} counter jump VYATTA_CT_HELPER
-# insert rule after VYATTA_CT_PREROUTING_HOOK
add rule ip raw PREROUTING position {{ pre_ct_conntrack }} counter jump NAT_CONNTRACK
-# insert rule after VYATTA_CT_IGNORE
add rule ip raw OUTPUT position {{ out_ct_ignore }} counter jump VYATTA_CT_HELPER
-# insert rule after VYATTA_CT_PREROUTING_HOOK
add rule ip raw OUTPUT position {{ out_ct_conntrack }} counter jump NAT_CONNTRACK
-
-add rule ip raw NAT_CONNTRACK counter accept
+{% endif %}
{% for r in destination -%}
|