From 0c58537217ab089f6e13d05cc10cd5589a131d73 Mon Sep 17 00:00:00 2001
From: bol-van <none@none.none>
Date: Fri, 18 Feb 2022 13:40:49 +0300
Subject: [PATCH] nft: do not delete all chains on firewall down

---
 common/nft.sh | 19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

diff --git a/common/nft.sh b/common/nft.sh
index da9cd13..ef3d1b7 100644
--- a/common/nft.sh
+++ b/common/nft.sh
@@ -61,10 +61,6 @@ nft_del_all_chains_from_table()
 	done
 }
 
-nft_del_chains()
-{
-	nft_del_all_chains_from_table "inet $ZAPRET_NFT_TABLE"
-}
 nft_create_chains()
 {
 cat << EOF | nft -f -
@@ -90,6 +86,21 @@ cat << EOF | nft -f -
 	add set inet $ZAPRET_NFT_TABLE wanif6 { type ifname; }
 EOF
 }
+nft_del_chains()
+{
+	# do not delete all chains because of additional user hooks
+	# they must be inside zapret table to use nfsets
+
+cat << EOF | nft -f - 2>/dev/null
+	delete chain inet $ZAPRET_NFT_TABLE dnat_output
+	delete chain inet $ZAPRET_NFT_TABLE dnat_pre
+	delete chain inet $ZAPRET_NFT_TABLE forward
+	delete chain inet $ZAPRET_NFT_TABLE input
+	delete chain inet $ZAPRET_NFT_TABLE postrouting
+	delete chain inet $ZAPRET_NFT_TABLE flow_offload
+	delete chain inet $ZAPRET_NFT_TABLE localnet_protect
+EOF
+}
 nft_del_flowtable()
 {
 	nft delete flowtable inet $ZAPRET_NFT_TABLE ft 2>/dev/null