From eff5456b57754031be1b3eddb593595248bb94e8 Mon Sep 17 00:00:00 2001
From: Akhilesh Samineni <47657796+AkhileshSamineni@users.noreply.github.com>
Date: Thu, 8 Oct 2020 11:28:58 +0530
Subject: [PATCH] [NAT]: Clear the iptables NAT rules only which were added by
 NAT Mgr. (#1386)

Signed-off-by: Akhilesh Samineni <akhilesh.samineni@broadcom.com>

Changes to clear the iptables NAT rules only which were added by NAT Mgr instead of flushing the all the NAT entries
---
 cfgmgr/natmgr.cpp  | 20 ++++++++++----------
 cfgmgr/natmgr.h    |  6 +++---
 cfgmgr/natmgrd.cpp | 12 +++++-------
 3 files changed, 18 insertions(+), 20 deletions(-)

diff --git a/cfgmgr/natmgr.cpp b/cfgmgr/natmgr.cpp
index e8aa07f73b3d..663b90072f7a 100644
--- a/cfgmgr/natmgr.cpp
+++ b/cfgmgr/natmgr.cpp
@@ -63,14 +63,6 @@ NatMgr::NatMgr(DBConnector *cfgDb, DBConnector *appDb, DBConnector *stateDb, con
     /* Set NAT default udp timeout as 300 seconds */
     m_natUdpTimeout = NAT_UDP_TIMEOUT_DEFAULT;
 
-    /* Clean the NAT iptables */
-    std::string res;
-    const std::string cmds = std::string("") + IPTABLES_CMD + " -F -t nat ";
-    if (swss::exec(cmds, res))
-    {
-        SWSS_LOG_ERROR("Command '%s' failed", cmds.c_str());
-    }
-
     /* Start the timer to refresh static conntrack entries for every 1 day (86400) */
     SWSS_LOG_INFO("Start the NAT Refresh Timer ");
     auto refresh_interval      = timespec { .tv_sec = NAT_ENTRY_REFRESH_PERIOD, .tv_nsec = 0 };
@@ -3612,7 +3604,11 @@ void NatMgr::removeStaticNatIptables(const string port)
     for (auto it = m_staticNatEntry.begin(); it != m_staticNatEntry.end(); it++)
     {
         /* Check interface is matching, otherwise continue */
-        if ((*it).second.interface != port)
+        if ((port != NONE_STRING) and (*it).second.interface != port)
+        {
+            continue;
+        }
+        else if ((port == NONE_STRING) and (*it).second.interface == NONE_STRING)
         {
             continue;
         }
@@ -3838,7 +3834,11 @@ void NatMgr::removeStaticNaptIptables(const string port)
     for (auto it = m_staticNaptEntry.begin(); it != m_staticNaptEntry.end(); it++)
     {
         /* Check interface is matching, otherwise continue */
-        if ((*it).second.interface != port)
+        if ((port != NONE_STRING) and (*it).second.interface != port)
+        {
+            continue;
+        }
+        else if ((port == NONE_STRING) and (*it).second.interface == NONE_STRING)
         {
             continue;
         }
diff --git a/cfgmgr/natmgr.h b/cfgmgr/natmgr.h
index 8e775b91a050..d9af2635be43 100644
--- a/cfgmgr/natmgr.h
+++ b/cfgmgr/natmgr.h
@@ -242,6 +242,9 @@ class NatMgr : public Orch
     bool isPortInitDone(DBConnector *app_db);
     void timeoutNotifications(std::string op, std::string data);
     void flushNotifications(std::string op, std::string data);
+    void removeStaticNatIptables(const std::string port = NONE_STRING);
+    void removeStaticNaptIptables(const std::string port = NONE_STRING);
+    void removeDynamicNatRules(const std::string port = NONE_STRING, const std::string ipPrefix = NONE_STRING);
 
 private:
     /* Declare APPL_DB, CFG_DB and STATE_DB tables */
@@ -328,8 +331,6 @@ class NatMgr : public Orch
     void removeStaticNaptEntries(const std::string port= NONE_STRING, const std::string ipPrefix = NONE_STRING);
     void addStaticNatIptables(const std::string port);
     void addStaticNaptIptables(const std::string port);
-    void removeStaticNatIptables(const std::string port);
-    void removeStaticNaptIptables(const std::string port);
     void setStaticNatConntrackEntries(std::string mode);
     void setStaticSingleNatConntrackEntry(const std::string &key, std::string &mode);
     void setStaticTwiceNatConntrackEntry(const std::string &key, std::string &mode);
@@ -341,7 +342,6 @@ class NatMgr : public Orch
     void addDynamicNatRuleByAcl(const std::string &key, bool isRuleId = false);
     void removeDynamicNatRuleByAcl(const std::string &key, bool isRuleId = false);
     void addDynamicNatRules(const std::string port = NONE_STRING, const std::string ipPrefix = NONE_STRING);
-    void removeDynamicNatRules(const std::string port = NONE_STRING, const std::string ipPrefix = NONE_STRING);
     void addDynamicTwiceNatRule(const std::string &key);
     void deleteDynamicTwiceNatRule(const std::string &key);
     void setDynamicAllForwardOrAclbasedRules(const std::string &opCmd, const std::string &pool_interface, const std::string &ip_range,
diff --git a/cfgmgr/natmgrd.cpp b/cfgmgr/natmgrd.cpp
index c3bbe41f8d4c..7e2aeba4a250 100644
--- a/cfgmgr/natmgrd.cpp
+++ b/cfgmgr/natmgrd.cpp
@@ -64,17 +64,11 @@ void sigterm_handler(int signo)
 {
     int ret = 0;
     std::string res;
-    const std::string iptablesFlushNat          = "iptables -t nat -F";
     const std::string conntrackFlush            = "conntrack -F";
 
     SWSS_LOG_NOTICE("Got SIGTERM");
 
-    /*If there are any iptables and conntrack entries, clean them */
-    ret = swss::exec(iptablesFlushNat, res);
-    if (ret)
-    {
-        SWSS_LOG_ERROR("Command '%s' failed with rc %d", iptablesFlushNat.c_str(), ret);
-    }
+    /*If there are any conntrack entries, clean them */
     ret = swss::exec(conntrackFlush, res);
     if (ret)
     {
@@ -93,6 +87,10 @@ void sigterm_handler(int signo)
     
     if (natmgr)
     {
+        natmgr->removeStaticNatIptables();
+        natmgr->removeStaticNaptIptables();
+        natmgr->removeDynamicNatRules();
+
         natmgr->cleanupMangleIpTables();
         natmgr->cleanupPoolIpTable();
     }