#!/usr/sbin/nft -f

{% if helper_functions is vyos_defined('remove') %}
{# NAT if going to be disabled - remove rules and targets from nftables #}
{%     set base_command = 'delete rule ip6 raw' %}
{{ base_command }} PREROUTING handle {{ pre_ct_conntrack }}
{{ base_command }} OUTPUT handle {{ out_ct_conntrack }}

delete chain ip6 raw NAT_CONNTRACK

{% elif helper_functions is vyos_defined('add') %}
{# NAT if enabled - add targets to nftables #}
add chain ip6 raw NAT_CONNTRACK
add rule ip6 raw NAT_CONNTRACK counter accept
{%     set base_command = 'add rule ip6 raw' %}
{{ base_command }} PREROUTING position {{ pre_ct_conntrack }} counter jump NAT_CONNTRACK
{{ base_command }} OUTPUT     position {{ out_ct_conntrack }} counter jump NAT_CONNTRACK
{% endif %}

{% if first_install is not vyos_defined %}
delete table ip6 vyos_nat
{% endif %}
table ip6 vyos_nat {
    #
    # Destination NAT66 rules build up here
    #
    chain PREROUTING {
        type nat hook prerouting priority -100; policy accept;
        counter jump VYOS_DNPT_HOOK
{% if destination.rule is vyos_defined %}
{%     for rule, config in destination.rule.items() if config.disable is not vyos_defined %}
        {{ config | nat_rule(rule, 'destination', ipv6=True) }}
{%     endfor %}
{% endif %}
    }

    #
    # Source NAT66 rules build up here
    #
    chain POSTROUTING {
        type nat hook postrouting priority 100; policy accept;
        counter jump VYOS_SNPT_HOOK
{% if source.rule is vyos_defined %}
{%     for rule, config in source.rule.items() if config.disable is not vyos_defined %}
        {{ config | nat_rule(rule, 'source', ipv6=True) }}
{%     endfor %}
{% endif %}
    }

    chain VYOS_DNPT_HOOK {
        return
    }

    chain VYOS_SNPT_HOOK {
        return
    }
}