networking/nftables: only delete our tables if flushRuleset is set to false

2025-02-01 17:53:14 +00:00 · 2022-12-28 02:52:26 +01:00 · 2022-12-28 02:52:26 +01:00 · 5f300ad70c
commit 5f300ad70c
parent d5a0826686
1 changed files with 5 additions and 1 deletions
--- a/nixos/modules/services/networking/nftables.nix
+++ b/nixos/modules/services/networking/nftables.nix
@ -248,7 +248,11 @@ in
        RemainAfterExit = true;
        ExecStart = rulesScript;
        ExecReload = rulesScript;
-        ExecStop = "${pkgs.nftables}/bin/nft flush ruleset";
+        ExecStop = "${pkgs.nftables}/bin/nft ${
+          if cfg.flushRuleset then "flush ruleset"
+          else escapeShellArg (concatStringsSep "; " (
+            mapAttrsToList (_: table: "delete table ${table.family} ${table.name}") enabledTables
+          ))}";
      };
    };
  };