summaryrefslogtreecommitdiff
path: root/data/templates/firewall
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2022-10-26 16:57:51 +0200
committerGitHub <noreply@github.com>2022-10-26 16:57:51 +0200
commita61e1a78fe116bb44fe55be3493de7c4dbe8db97 (patch)
treefcc18784759f8b75ca51dbc2fd253140059cdaa4 /data/templates/firewall
parent2e3e25514004f11d2238793752536fbc43f4bbf4 (diff)
parent16207f7a8ffdbc93fcfcc4b6ba783940a1e40e33 (diff)
downloadvyos-1x-a61e1a78fe116bb44fe55be3493de7c4dbe8db97.tar.gz
vyos-1x-a61e1a78fe116bb44fe55be3493de7c4dbe8db97.zip
Merge pull request #1618 from sarthurdev/T4764
nat: T4764: Remove NAT tables on node deletion
Diffstat (limited to 'data/templates/firewall')
-rw-r--r--data/templates/firewall/nftables-nat.j218
-rw-r--r--data/templates/firewall/nftables-static-nat.j218
2 files changed, 20 insertions, 16 deletions
diff --git a/data/templates/firewall/nftables-nat.j2 b/data/templates/firewall/nftables-nat.j2
index 55fe6024b..c5c0a2c86 100644
--- a/data/templates/firewall/nftables-nat.j2
+++ b/data/templates/firewall/nftables-nat.j2
@@ -24,6 +24,7 @@ add rule ip raw NAT_CONNTRACK counter accept
{% if first_install is not vyos_defined %}
delete table ip vyos_nat
{% endif %}
+{% if deleted is not vyos_defined %}
table ip vyos_nat {
#
# Destination NAT rules build up here
@@ -31,11 +32,11 @@ table ip vyos_nat {
chain PREROUTING {
type nat hook prerouting priority -100; policy accept;
counter jump VYOS_PRE_DNAT_HOOK
-{% if destination.rule is vyos_defined %}
-{% for rule, config in destination.rule.items() if config.disable is not vyos_defined %}
+{% if destination.rule is vyos_defined %}
+{% for rule, config in destination.rule.items() if config.disable is not vyos_defined %}
{{ config | nat_rule(rule, 'destination') }}
-{% endfor %}
-{% endif %}
+{% endfor %}
+{% endif %}
}
#
@@ -44,11 +45,11 @@ table ip vyos_nat {
chain POSTROUTING {
type nat hook postrouting priority 100; policy accept;
counter jump VYOS_PRE_SNAT_HOOK
-{% if source.rule is vyos_defined %}
-{% for rule, config in source.rule.items() if config.disable is not vyos_defined %}
+{% if source.rule is vyos_defined %}
+{% for rule, config in source.rule.items() if config.disable is not vyos_defined %}
{{ config | nat_rule(rule, 'source') }}
-{% endfor %}
-{% endif %}
+{% endfor %}
+{% endif %}
}
chain VYOS_PRE_DNAT_HOOK {
@@ -59,3 +60,4 @@ table ip vyos_nat {
return
}
}
+{% endif %}
diff --git a/data/templates/firewall/nftables-static-nat.j2 b/data/templates/firewall/nftables-static-nat.j2
index 790c33ce9..e5e3da867 100644
--- a/data/templates/firewall/nftables-static-nat.j2
+++ b/data/templates/firewall/nftables-static-nat.j2
@@ -3,6 +3,7 @@
{% if first_install is not vyos_defined %}
delete table ip vyos_static_nat
{% endif %}
+{% if deleted is not vyos_defined %}
table ip vyos_static_nat {
#
# Destination NAT rules build up here
@@ -10,11 +11,11 @@ table ip vyos_static_nat {
chain PREROUTING {
type nat hook prerouting priority -100; policy accept;
-{% if static.rule is vyos_defined %}
-{% for rule, config in static.rule.items() if config.disable is not vyos_defined %}
+{% if static.rule is vyos_defined %}
+{% for rule, config in static.rule.items() if config.disable is not vyos_defined %}
{{ config | nat_static_rule(rule, 'destination') }}
-{% endfor %}
-{% endif %}
+{% endfor %}
+{% endif %}
}
#
@@ -22,10 +23,11 @@ table ip vyos_static_nat {
#
chain POSTROUTING {
type nat hook postrouting priority 100; policy accept;
-{% if static.rule is vyos_defined %}
-{% for rule, config in static.rule.items() if config.disable is not vyos_defined %}
+{% if static.rule is vyos_defined %}
+{% for rule, config in static.rule.items() if config.disable is not vyos_defined %}
{{ config | nat_static_rule(rule, 'source') }}
-{% endfor %}
-{% endif %}
+{% endfor %}
+{% endif %}
}
}
+{% endif %}