From fda762065c03d55c05682bf9834354c0edca3e97 Mon Sep 17 00:00:00 2001
From: Christian Poessinger <christian@poessinger.com>
Date: Mon, 11 May 2020 19:32:32 +0200
Subject: nat: T2198: implement deletion of NAT subsystem

---
 data/templates/firewall/nftables-nat.tmpl | 20 ++++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

(limited to 'data')

diff --git a/data/templates/firewall/nftables-nat.tmpl b/data/templates/firewall/nftables-nat.tmpl
index 343807e79..671cd0920 100644
--- a/data/templates/firewall/nftables-nat.tmpl
+++ b/data/templates/firewall/nftables-nat.tmpl
@@ -8,18 +8,26 @@ flush table nat
 {{ rule }}
 {% endfor %}
 
+
+{% if deleted %}
+# NAT if going to be disabled - remove rules and targets from nftables
+delete rule ip raw PREROUTING handle {{ pre_ct_ignore }}
+delete rule ip raw PREROUTING handle {{ pre_ct_conntrack }}
+delete rule ip raw OUTPUT handle {{ out_ct_ignore }}
+delete rule ip raw OUTPUT handle {{ out_ct_conntrack }}
+
+delete chain ip raw NAT_CONNTRACK
+
+{% else %}
+# NAT if enabled - add targets to nftables
 add chain ip raw NAT_CONNTRACK
+add rule ip raw NAT_CONNTRACK counter accept
 
-# insert rule after VYATTA_CT_IGNORE
 add rule ip raw PREROUTING position {{ pre_ct_ignore }} counter jump VYATTA_CT_HELPER
-# insert rule after VYATTA_CT_PREROUTING_HOOK
 add rule ip raw PREROUTING position {{ pre_ct_conntrack }} counter jump NAT_CONNTRACK
-# insert rule after VYATTA_CT_IGNORE
 add rule ip raw OUTPUT position {{ out_ct_ignore }} counter jump VYATTA_CT_HELPER
-# insert rule after VYATTA_CT_PREROUTING_HOOK
 add rule ip raw OUTPUT position {{ out_ct_conntrack }} counter jump NAT_CONNTRACK
-
-add rule ip raw NAT_CONNTRACK counter accept
+{% endif %}
 
 
 {% for r in destination -%}
-- 
cgit v1.2.3