fw4: improve flowtable handling

[project/firewall4.git] / root / usr / share / firewall4 / templates / ruleset.uc

diff --git a/root/usr/share/firewall4/templates/ruleset.uc b/root/usr/share/firewall4/templates/ruleset.uc
index e9692d787675b594fcfa396fc6c2272714d13824..8020bed69fb1b9c50b82289974544563f4866b59 100644 (file)
--- a/root/usr/share/firewall4/templates/ruleset.uc
+++ b/root/usr/share/firewall4/templates/ruleset.uc
@@ -1,5 +1,8 @@
 table inet fw4
 flush table inet fw4
+{% if (flowtable): %}
+delete flowtable inet fw4 ft
+{% endif %}
 
 table inet fw4 {
 {% if (fw4.default_option("flow_offloading") && length(devices) > 0): %}
@@ -274,7 +277,7 @@ table inet fw4 {
 {%     if (rule.devices_neg || rule.subnets_neg || devices_pos || subnets_pos): %}
                {%+ if (rule.family): -%}
                        meta nfproto {{ fw4.nfproto(rule.family) }} {%+ endif -%}
-               {%+ include("zone-match.uc", { fw4, rule: { ...rule, devices_pos, subnets_pos } }) -%}
+               {%+ include("zone-match.uc", { fw4, egress: false, rule: { ...rule, devices_pos, subnets_pos } }) -%}
                jump {{ target }}_{{ zone.name }} comment "!fw4: {{ zone.name }} {{ fw4.nfproto(rule.family, true) }} {{
                        (target == "helper") ? "CT helper assignment" : "CT bypass"
                }}"
@@ -296,7 +299,7 @@ table inet fw4 {
 {%     if (devices_pos || subnets_pos): %}
                {%+ if (rule.family): -%}
                        meta nfproto {{ fw4.nfproto(rule.family) }} {%+ endif -%}
-               {%+ include("zone-match.uc", { fw4, rule: { ...rule, devices_pos, subnets_pos } }) -%}
+               {%+ include("zone-match.uc", { fw4, egress: false, rule: { ...rule, devices_pos, subnets_pos } }) -%}
                jump {{ target }}_{{ zone.name }} comment "!fw4: {{ zone.name }} {{ fw4.nfproto(rule.family, true) }} {{
                        (target == "helper") ? "CT helper assignment" : "CT bypass"
                }}"