main/nftables: add support for enabling forwarding to runscript

1 files changed, 22 insertions, 1 deletions

diff --git a/main/nftables/nftables.initd b/main/nftables/nftables.initd
index 6035d1a7bc..56d31c3bba 100644
--- a/main/nftables/nftables.initd
+++ b/main/nftables/nftables.initd
@@ -16,9 +16,11 @@ description_reload="Clear current rulesets and load rulesets from the saved rule
 : ${rules_file:=${NFTABLES_SAVE:="/var/lib/nftables/rules-save"}}
 : ${save_options:=${SAVE_OPTIONS:="-n"}}
 : ${save_on_stop:=${SAVE_ON_STOP:="yes"}}
+: ${enable_forwarding:="no"}
 
 depend() {
 	need localmount
+	after sysctl
 	before net
 	provide firewall
 }
@@ -74,7 +76,13 @@ start() {
 	ebegin "Loading nftables state and starting firewall"
 
 	nft -f "$rules_file"
-	eend $?
+	eend $? || return 1
+
+	if yesno "$ip_forward"; then
+		ebegin "Enabling forwarding"
+		forwarding 1
+		eend $? || return 1
+	fi
 }
 
 stop() {
@@ -82,6 +90,12 @@ stop() {
 		save || return 1
 	fi
 
+	if yesno "$enable_forwarding"; then
+		ebegin "Disabling forwarding"
+		forwarding 0
+		eend $?
+	fi
+
 	ebegin "Stopping firewall"
 	nft flush ruleset
 	eend $?
@@ -104,3 +118,10 @@ checkkernel() {
 	fi
 	return 0
 }
+
+forwarding() {
+	/sbin/sysctl -qw \
+		net.ipv4.ip_forward=$1 \
+		net.ipv6.conf.default.forwarding=$1 \
+		net.ipv6.conf.all.forwarding=$1
+}