From 6f44b47d8f2bf04984684a0752ab224960260b0d Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sun, 12 Jul 2020 11:54:16 +0200 Subject: nat: T2699: fix exclusion rules for noNAT destinations --- data/templates/firewall/nftables-nat.tmpl | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) (limited to 'data') diff --git a/data/templates/firewall/nftables-nat.tmpl b/data/templates/firewall/nftables-nat.tmpl index 8108d5e0f..0c29f536b 100644 --- a/data/templates/firewall/nftables-nat.tmpl +++ b/data/templates/firewall/nftables-nat.tmpl @@ -6,7 +6,7 @@ flush table nat {% if helper_functions == 'remove' %} {# NAT if going to be disabled - remove rules and targets from nftables #} -{% set base_command = "delete rule ip raw" %} +{% set base_command = "delete rule ip raw" %} {{ base_command }} PREROUTING handle {{ pre_ct_ignore }} {{ base_command }} OUTPUT handle {{ out_ct_ignore }} {{ base_command }} PREROUTING handle {{ pre_ct_conntrack }} @@ -19,7 +19,7 @@ delete chain ip raw NAT_CONNTRACK add chain ip raw NAT_CONNTRACK add rule ip raw NAT_CONNTRACK counter accept -{% set base_command = "add rule ip raw" %} +{% set base_command = "add rule ip raw" %} {{ base_command }} PREROUTING position {{ pre_ct_ignore }} counter jump VYATTA_CT_HELPER {{ base_command }} OUTPUT position {{ out_ct_ignore }} counter jump VYATTA_CT_HELPER @@ -48,10 +48,11 @@ add rule ip raw NAT_CONNTRACK counter accept {% set comment = "DST-NAT-" + rule.number %} {% if chain == "PREROUTING" %} -{% set interface = " iifname \"" + rule.interface_in + "\"" %} +{% set interface = " iifname \"" + rule.interface_in + "\"" if rule.interface_in is defined and rule.interface_in != 'any' else '' %} {% set trns_addr = "dnat to " + rule.translation_address %} + {% elif chain == "POSTROUTING" %} -{% set interface = " oifname \"" + rule.interface_out + "\"" %} +{% set interface = " oifname \"" + rule.interface_out + "\"" if rule.interface_out is defined and rule.interface_out != 'any' else '' %} {% if rule.translation_address == 'masquerade' %} {% set trns_addr = rule.translation_address %} {% if rule.translation_port %} -- cgit v1.2.3