gravitl/netmaker
1
1
Fork 0
mirror of https://github.com/gravitl/netmaker.git synced 2025-09-13 16:44:52 +08:00
Code Issues Projects Releases Packages Wiki Activity

flush tables vice delete rules for nft

Browse source
This commit is contained in:
Matthew R. Kasun 2022-08-18 04:20:23 -04:00
parent d2b95c338c
commit e3c1189008
2 changed files with 5 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
controllers/config/dnsconfig/netmaker.hosts
View file

@ -1,2 +1 @@
10.0.0.1 testnode.skynet 10.0.0.2 testnode.skynet myhost.skynet
10.0.0.2 myhost.skynet

10
logic/gateway.go
View file

@ -294,9 +294,8 @@ func firewallNFTCommandsCreateIngress(networkInterface string) (string, string)
postUp += "nft add rule ip nat POSTROUTING oifname " + networkInterface + " counter masquerade" postUp += "nft add rule ip nat POSTROUTING oifname " + networkInterface + " counter masquerade"
// doesn't remove potentially empty tables or chains // doesn't remove potentially empty tables or chains
postDown := "nft delete rule ip filter FORWARD iifname " + networkInterface + " counter accept ; " postDown := "nft flush table filter; "
postDown += "nft delete rule ip filter FORWARD oifname " + networkInterface + " counter accept ; " postDown += "nft flush table nat; "
postDown += "nft delete rule ip nat POSTROUTING oifname " + networkInterface + " counter masquerade"
return postUp, postDown return postUp, postDown
} }
@ -308,15 +307,14 @@ func firewallNFTCommandsCreateEgress(networkInterface string, gatewayInterface s
postUp += "nft add rule ip filter FORWARD iifname " + networkInterface + " counter accept ; " postUp += "nft add rule ip filter FORWARD iifname " + networkInterface + " counter accept ; "
postUp += "nft add rule ip filter FORWARD oifname " + networkInterface + " counter accept ; " postUp += "nft add rule ip filter FORWARD oifname " + networkInterface + " counter accept ; "
postDown := "nft delete rule ip filter FORWARD iifname " + networkInterface + " counter accept ; " postDown := "nft flush table filter; "
postDown += "nft delete rule ip filter FORWARD oifname " + networkInterface + " counter accept ; "
if egressNatEnabled == "yes" { if egressNatEnabled == "yes" {
postUp += "nft add table nat ; " postUp += "nft add table nat ; "
postUp += "nft add chain nat POSTROUTING ; " postUp += "nft add chain nat POSTROUTING ; "
postUp += "nft add rule ip nat POSTROUTING oifname " + gatewayInterface + " counter masquerade ;" postUp += "nft add rule ip nat POSTROUTING oifname " + gatewayInterface + " counter masquerade ;"
postDown += "nft delete rule ip nat POSTROUTING oifname " + gatewayInterface + " counter masquerade ;" postDown += "nft flush table nat; "
} }
return postUp, postDown return postUp, postDown