summaryrefslogtreecommitdiff
path: root/data/templates/firewall
diff options
context:
space:
mode:
Diffstat (limited to 'data/templates/firewall')
-rw-r--r--data/templates/firewall/nftables-nat.tmpl20
1 files changed, 14 insertions, 6 deletions
diff --git a/data/templates/firewall/nftables-nat.tmpl b/data/templates/firewall/nftables-nat.tmpl
index 343807e79..671cd0920 100644
--- a/data/templates/firewall/nftables-nat.tmpl
+++ b/data/templates/firewall/nftables-nat.tmpl
@@ -8,18 +8,26 @@ flush table nat
{{ rule }}
{% endfor %}
+
+{% if deleted %}
+# NAT if going to be disabled - remove rules and targets from nftables
+delete rule ip raw PREROUTING handle {{ pre_ct_ignore }}
+delete rule ip raw PREROUTING handle {{ pre_ct_conntrack }}
+delete rule ip raw OUTPUT handle {{ out_ct_ignore }}
+delete rule ip raw OUTPUT handle {{ out_ct_conntrack }}
+
+delete chain ip raw NAT_CONNTRACK
+
+{% else %}
+# NAT if enabled - add targets to nftables
add chain ip raw NAT_CONNTRACK
+add rule ip raw NAT_CONNTRACK counter accept
-# insert rule after VYATTA_CT_IGNORE
add rule ip raw PREROUTING position {{ pre_ct_ignore }} counter jump VYATTA_CT_HELPER
-# insert rule after VYATTA_CT_PREROUTING_HOOK
add rule ip raw PREROUTING position {{ pre_ct_conntrack }} counter jump NAT_CONNTRACK
-# insert rule after VYATTA_CT_IGNORE
add rule ip raw OUTPUT position {{ out_ct_ignore }} counter jump VYATTA_CT_HELPER
-# insert rule after VYATTA_CT_PREROUTING_HOOK
add rule ip raw OUTPUT position {{ out_ct_conntrack }} counter jump NAT_CONNTRACK
-
-add rule ip raw NAT_CONNTRACK counter accept
+{% endif %}
{% for r in destination -%}