2 files changed, 33 insertions, 18 deletions

diff --git a/data/templates/firewall/nftables-nat.tmpl b/data/templates/firewall/nftables-nat.tmpl
index 343807e79..671cd0920 100644
--- a/data/templates/firewall/nftables-nat.tmpl
+++ b/data/templates/firewall/nftables-nat.tmpl
@@ -8,18 +8,26 @@ flush table nat
 {{ rule }}

 {% endfor %}

 

+

+{% if deleted %}

+# NAT if going to be disabled - remove rules and targets from nftables

+delete rule ip raw PREROUTING handle {{ pre_ct_ignore }}

+delete rule ip raw PREROUTING handle {{ pre_ct_conntrack }}

+delete rule ip raw OUTPUT handle {{ out_ct_ignore }}

+delete rule ip raw OUTPUT handle {{ out_ct_conntrack }}

+

+delete chain ip raw NAT_CONNTRACK

+

+{% else %}

+# NAT if enabled - add targets to nftables

 add chain ip raw NAT_CONNTRACK

+add rule ip raw NAT_CONNTRACK counter accept

 

-# insert rule after VYATTA_CT_IGNORE

 add rule ip raw PREROUTING position {{ pre_ct_ignore }} counter jump VYATTA_CT_HELPER

-# insert rule after VYATTA_CT_PREROUTING_HOOK

 add rule ip raw PREROUTING position {{ pre_ct_conntrack }} counter jump NAT_CONNTRACK

-# insert rule after VYATTA_CT_IGNORE

 add rule ip raw OUTPUT position {{ out_ct_ignore }} counter jump VYATTA_CT_HELPER

-# insert rule after VYATTA_CT_PREROUTING_HOOK

 add rule ip raw OUTPUT position {{ out_ct_conntrack }} counter jump NAT_CONNTRACK

-

-add rule ip raw NAT_CONNTRACK counter accept

+{% endif %}

 

 

 {% for r in destination -%}

diff --git a/src/conf_mode/nat.py b/src/conf_mode/nat.py
index 128e2469c..916f63f09 100755
--- a/src/conf_mode/nat.py
+++ b/src/conf_mode/nat.py
@@ -27,11 +27,12 @@ from vyos.util import call, cmd
 from vyos import ConfigError
 
 default_config_data = {
-    'prerouting_ct_helper': '',
-    'prerouting_ct_conntrack': '',
-    'output_ct_helper': '',
-    'output_ct_conntrack': '',
+    'deleted': False,
     'destination': [],
+    'pre_ct_helper': '',
+    'pre_ct_conntrack': '',
+    'out_ct_helper': '',
+    'out_ct_conntrack': '',
     'source': []
 }
 
@@ -139,11 +140,21 @@ def parse_source_destination(conf, source_dest):
 def get_config():
     nat = deepcopy(default_config_data)
     conf = Config()
+
     if not conf.exists(['nat']):
-        return None
+        # Retrieve current table handler positions
+        nat['pre_ct_ignore'] = get_handler('PREROUTING', 'VYATTA_CT_HELPER')
+        nat['pre_ct_conntrack'] = get_handler('PREROUTING', 'NAT_CONNTRACK')
+        nat['out_ct_ignore'] = get_handler('OUTPUT', 'VYATTA_CT_HELPER')
+        nat['out_ct_conntrack'] = get_handler('OUTPUT', 'NAT_CONNTRACK')
+
+        nat['deleted'] = True
+
+        return nat
     else:
         conf.set_level(['nat'])
 
+    # Retrieve current table handler positions
     nat['pre_ct_ignore'] = get_handler('PREROUTING', 'VYATTA_CT_IGNORE')
     nat['pre_ct_conntrack'] = get_handler('PREROUTING', 'VYATTA_CT_PREROUTING_HOOK')
     nat['out_ct_ignore'] = get_handler('OUTPUT', 'VYATTA_CT_IGNORE')
@@ -158,7 +169,8 @@ def get_config():
     return nat
 
 def verify(nat):
-    if not nat:
+    if nat['deleted']:
+        # no need to verify the CLI as NAT is going to be deactivated
         return None
 
     if not (nat['pre_ct_ignore'] or nat['pre_ct_conntrack'] or nat['out_ct_ignore'] or nat['out_ct_conntrack']):
@@ -172,18 +184,13 @@ def verify(nat):
     return None
 
 def generate(nat):
-    if not nat:
-        return None
-
     render(iptables_nat_config, 'firewall/nftables-nat.tmpl', nat, trim_blocks=True, permission=0o755)
 
     return None
 
 def apply(nat):
-    if not nat:
-        return None
+    cmd(f'{iptables_nat_config}')
 
-    call(f'{iptables_nat_config}')
     return None
 
 if __name__ == '__main__':