From c36f915b13f088e99cbcd0d822e9fc32249fe713 Mon Sep 17 00:00:00 2001
From: Tom Hughes <tom@compton.nu>
Date: Sat, 4 Mar 2023 14:58:19 +0000
Subject: [PATCH] Avoid dropping third party tables when stopping an nftables
 firewall

---
 cookbooks/networking/recipes/default.rb             | 13 +++++++++++++
 .../networking/templates/default/nftables.conf.erb  |  2 --
 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/cookbooks/networking/recipes/default.rb b/cookbooks/networking/recipes/default.rb
index a299a67cd..427cd794a 100644
--- a/cookbooks/networking/recipes/default.rb
+++ b/cookbooks/networking/recipes/default.rb
@@ -690,6 +690,19 @@ elsif node[:networking][:firewall][:engine] == "nftables"
     notifies :restart, "service[nftables]"
   end
 
+  stop_commands = [
+    "/usr/sbin/nft delete table inet filter"
+  ]
+
+  stop_commands << "/usr/sbin/nft delete table ip nat" if node[:roles].include?("gateway")
+
+  systemd_service "nftables-stop" do
+    service "nftables"
+    dropin "stop"
+    exec_reload ""
+    exec_stop stop_commands
+  end
+
   if node[:networking][:firewall][:enabled]
     service "nftables" do
       action [:enable, :start]
diff --git a/cookbooks/networking/templates/default/nftables.conf.erb b/cookbooks/networking/templates/default/nftables.conf.erb
index 65d090db3..7f0b1e17e 100644
--- a/cookbooks/networking/templates/default/nftables.conf.erb
+++ b/cookbooks/networking/templates/default/nftables.conf.erb
@@ -5,8 +5,6 @@ define external-interfaces = { <%= @interfaces.sort.uniq.join(", ") %> }
 define ip-private-addresses = { 10.0.0.0/8, 127.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, 192.0.2.0/24, 192.168.0.0/16 }
 define ip6-private-addresses = { 2001:db8::/32, fc00::/7 }
 
-flush ruleset
-
 table inet filter {
   set ip-osm-addresses {
     type ipv4_addr
-- 
2.43.2