summaryrefslogtreecommitdiff
path: root/data/templates/firewall
diff options
context:
space:
mode:
authorNicolas Fort <nicolasfort1988@gmail.com>2022-04-18 18:31:12 +0000
committerNicolas Fort <nicolasfort1988@gmail.com>2022-04-18 18:31:12 +0000
commitbf8f30b5f87c62fa81f7fba4212493f0f2bc6375 (patch)
treefef05b1a9c557a453988ee257dc13cec5bae422e /data/templates/firewall
parent3cbe7878bcadc0f3ecbaeab46d745b5510c26b0d (diff)
downloadvyos-1x-bf8f30b5f87c62fa81f7fba4212493f0f2bc6375.tar.gz
vyos-1x-bf8f30b5f87c62fa81f7fba4212493f0f2bc6375.zip
NAT: T4365: Fix for nat tables manipulation on netfilter
Diffstat (limited to 'data/templates/firewall')
-rw-r--r--data/templates/firewall/nftables-nat.tmpl7
1 files changed, 5 insertions, 2 deletions
diff --git a/data/templates/firewall/nftables-nat.tmpl b/data/templates/firewall/nftables-nat.tmpl
index 922f3dcb4..7a925b264 100644
--- a/data/templates/firewall/nftables-nat.tmpl
+++ b/data/templates/firewall/nftables-nat.tmpl
@@ -138,8 +138,9 @@
{% endif %}
{% endmacro %}
-# Start with clean NAT table
-flush table ip nat
+# Start with clean SNAT and DNAT chains
+flush chain ip nat PREROUTING
+flush chain ip nat POSTROUTING
{% if helper_functions is vyos_defined('remove') %}
{# NAT if going to be disabled - remove rules and targets from nftables #}
{% set base_command = 'delete rule ip raw' %}
@@ -164,6 +165,7 @@ add rule ip raw NAT_CONNTRACK counter accept
#
# Destination NAT rules build up here
#
+add rule ip nat PREROUTING counter jump VYOS_PRE_DNAT_HOOK
{% if destination.rule is vyos_defined %}
{% for rule, config in destination.rule.items() if config.disable is not vyos_defined %}
{{ nat_rule(rule, config, 'PREROUTING') }}
@@ -172,6 +174,7 @@ add rule ip raw NAT_CONNTRACK counter accept
#
# Source NAT rules build up here
#
+add rule ip nat POSTROUTING counter jump VYOS_PRE_SNAT_HOOK
{% if source.rule is vyos_defined %}
{% for rule, config in source.rule.items() if config.disable is not vyos_defined %}
{{ nat_rule(rule, config, 'POSTROUTING') }}