From fda762065c03d55c05682bf9834354c0edca3e97 Mon Sep 17 00:00:00 2001
From: Christian Poessinger <christian@poessinger.com>
Date: Mon, 11 May 2020 19:32:32 +0200
Subject: nat: T2198: implement deletion of NAT subsystem

---
 data/templates/firewall/nftables-nat.tmpl | 20 ++++++++++++++------
 src/conf_mode/nat.py                      | 31 +++++++++++++++++++------------
 2 files changed, 33 insertions(+), 18 deletions(-)

diff --git a/data/templates/firewall/nftables-nat.tmpl b/data/templates/firewall/nftables-nat.tmpl
index 343807e79..671cd0920 100644
--- a/data/templates/firewall/nftables-nat.tmpl
+++ b/data/templates/firewall/nftables-nat.tmpl
@@ -8,18 +8,26 @@ flush table nat
 {{ rule }}
 {% endfor %}
 
+
+{% if deleted %}
+# NAT if going to be disabled - remove rules and targets from nftables
+delete rule ip raw PREROUTING handle {{ pre_ct_ignore }}
+delete rule ip raw PREROUTING handle {{ pre_ct_conntrack }}
+delete rule ip raw OUTPUT handle {{ out_ct_ignore }}
+delete rule ip raw OUTPUT handle {{ out_ct_conntrack }}
+
+delete chain ip raw NAT_CONNTRACK
+
+{% else %}
+# NAT if enabled - add targets to nftables
 add chain ip raw NAT_CONNTRACK
+add rule ip raw NAT_CONNTRACK counter accept
 
-# insert rule after VYATTA_CT_IGNORE
 add rule ip raw PREROUTING position {{ pre_ct_ignore }} counter jump VYATTA_CT_HELPER
-# insert rule after VYATTA_CT_PREROUTING_HOOK
 add rule ip raw PREROUTING position {{ pre_ct_conntrack }} counter jump NAT_CONNTRACK
-# insert rule after VYATTA_CT_IGNORE
 add rule ip raw OUTPUT position {{ out_ct_ignore }} counter jump VYATTA_CT_HELPER
-# insert rule after VYATTA_CT_PREROUTING_HOOK
 add rule ip raw OUTPUT position {{ out_ct_conntrack }} counter jump NAT_CONNTRACK
-
-add rule ip raw NAT_CONNTRACK counter accept
+{% endif %}
 
 
 {% for r in destination -%}
diff --git a/src/conf_mode/nat.py b/src/conf_mode/nat.py
index 128e2469c..916f63f09 100755
--- a/src/conf_mode/nat.py
+++ b/src/conf_mode/nat.py
@@ -27,11 +27,12 @@ from vyos.util import call, cmd
 from vyos import ConfigError
 
 default_config_data = {
-    'prerouting_ct_helper': '',
-    'prerouting_ct_conntrack': '',
-    'output_ct_helper': '',
-    'output_ct_conntrack': '',
+    'deleted': False,
     'destination': [],
+    'pre_ct_helper': '',
+    'pre_ct_conntrack': '',
+    'out_ct_helper': '',
+    'out_ct_conntrack': '',
     'source': []
 }
 
@@ -139,11 +140,21 @@ def parse_source_destination(conf, source_dest):
 def get_config():
     nat = deepcopy(default_config_data)
     conf = Config()
+
     if not conf.exists(['nat']):
-        return None
+        # Retrieve current table handler positions
+        nat['pre_ct_ignore'] = get_handler('PREROUTING', 'VYATTA_CT_HELPER')
+        nat['pre_ct_conntrack'] = get_handler('PREROUTING', 'NAT_CONNTRACK')
+        nat['out_ct_ignore'] = get_handler('OUTPUT', 'VYATTA_CT_HELPER')
+        nat['out_ct_conntrack'] = get_handler('OUTPUT', 'NAT_CONNTRACK')
+
+        nat['deleted'] = True
+
+        return nat
     else:
         conf.set_level(['nat'])
 
+    # Retrieve current table handler positions
     nat['pre_ct_ignore'] = get_handler('PREROUTING', 'VYATTA_CT_IGNORE')
     nat['pre_ct_conntrack'] = get_handler('PREROUTING', 'VYATTA_CT_PREROUTING_HOOK')
     nat['out_ct_ignore'] = get_handler('OUTPUT', 'VYATTA_CT_IGNORE')
@@ -158,7 +169,8 @@ def get_config():
     return nat
 
 def verify(nat):
-    if not nat:
+    if nat['deleted']:
+        # no need to verify the CLI as NAT is going to be deactivated
         return None
 
     if not (nat['pre_ct_ignore'] or nat['pre_ct_conntrack'] or nat['out_ct_ignore'] or nat['out_ct_conntrack']):
@@ -172,18 +184,13 @@ def verify(nat):
     return None
 
 def generate(nat):
-    if not nat:
-        return None
-
     render(iptables_nat_config, 'firewall/nftables-nat.tmpl', nat, trim_blocks=True, permission=0o755)
 
     return None
 
 def apply(nat):
-    if not nat:
-        return None
+    cmd(f'{iptables_nat_config}')
 
-    call(f'{iptables_nat_config}')
     return None
 
 if __name__ == '__main__':
-- 
cgit v1.2.3