Update wireguard nftables for IPv6

vpn/wireguard/tasks/main.yml

@@ -17,13 +17,6 @@
     mode: 0755
   register: vpn_wireguard_post_up_iface_inet_nft
 
-- name: "post-up nftables ipv4 script"
-  ansible.builtin.template:
-    src: "./post-up-IFACE-ipv4.nft"
-    dest: "/usr/local/sbin/post-up-{{ vpn_wireguard_iface }}-ipv4.nft"
-    mode: 0755
-  register: vpn_wireguard_post_up_iface_ipv4_nft
-
 - name: "configure interface"
   ansible.builtin.template:
     src: "./{{ vpn_wireguard_role }}/IFACE"
@@ -49,7 +42,6 @@
   when:
     vpn_wireguard_conf.changed or
     vpn_wireguard_post_up_iface_inet_nft.changed or
-    vpn_wireguard_post_up_iface_ipv4_nft.changed or
     vpn_wireguard_intf.changed
 
 - name: "pre-down nftables inet script"
@@ -57,9 +49,3 @@
     src: "./pre-down-IFACE-inet.nft"
     dest: "/usr/local/sbin/pre-down-{{ vpn_wireguard_iface }}-inet.nft"
     mode: 0755
-
-- name: "pre-down nftables ipv4 script"
-  ansible.builtin.template:
-    src: "./pre-down-IFACE-ipv4.nft"
-    dest: "/usr/local/sbin/pre-down-{{ vpn_wireguard_iface }}-ipv4.nft"
-    mode: 0755

vpn/wireguard/templates/client/IFACE

@@ -5,11 +5,9 @@ iface {{ vpn_wireguard_iface }} inet static
     pre-up ip link set mtu {{ vpn_wireguard_mtu }} dev $IFACE
 
     post-up /usr/local/sbin/post-up-$IFACE-inet.nft
-    post-up /usr/local/sbin/post-up-$IFACE-ipv4.nft
     post-up ip route add default dev $IFACE table {{ vpn_wireguard_routing_table }}
 
     pre-down ip route del default dev $IFACE table {{ vpn_wireguard_routing_table }}
-    pre-down /usr/local/sbin/pre-down-$IFACE-ipv4.nft
     pre-down /usr/local/sbin/pre-down-$IFACE-inet.nft
 
     address {{ vpn_wireguard_address }}

vpn/wireguard/templates/post-up-IFACE-inet.nft

@@ -6,4 +6,11 @@ table inet {{ vpn_wireguard_iface }}_inet {
                 iif {{ vpn_wireguard_iface }} tcp flags syn tcp option maxseg size set rt mtu;
                 oif {{ vpn_wireguard_iface }} tcp flags syn tcp option maxseg size set rt mtu;
         }
+{% if vpn_wireguard_role == "server" %}
+
+        chain postrouting {
+                type nat hook postrouting priority 100;
+                iif {{ vpn_wireguard_iface }} oif {{ ansible_default_ipv4.interface }} masquerade;
+        }
+{% endif %}
 }

vpn/wireguard/templates/post-up-IFACE-ipv4.nft

@@ -1,12 +0,0 @@
-#!/usr/bin/env -S nft -f
-
-table ip {{ vpn_wireguard_iface }}_ipv4 {
-
-{% if vpn_wireguard_role == "server" %}
-        chain postrouting {
-                type nat hook postrouting priority 100;
-                iif {{ vpn_wireguard_iface }} oif {{ ansible_default_ipv4.interface }} masquerade;
-        }
-
-{% endif %}
-}

vpn/wireguard/templates/pre-down-IFACE-ipv4.nft

@@ -1,4 +0,0 @@
-#!/usr/bin/env -S nft -f
-
-flush table ip {{ vpn_wireguard_iface }}_ipv4
-delete table ip {{ vpn_wireguard_iface }}_ipv4

vpn/wireguard/templates/server/IFACE

@@ -5,7 +5,6 @@ iface {{ vpn_wireguard_iface }} inet static
     pre-up ip link set mtu {{ vpn_wireguard_mtu }} dev $IFACE
 
     post-up /usr/local/sbin/post-up-$IFACE-inet.nft
-    post-up /usr/local/sbin/post-up-$IFACE-ipv4.nft
 {% if vpn_wireguard_routing_table is defined %}
     post-up ip rule add sport {{ vpn_wireguard_port }} ipproto udp table {{ vpn_wireguard_routing_table }}
     post-up ip -6 rule add sport {{ vpn_wireguard_port }} ipproto udp table {{ vpn_wireguard_routing_table }}
@@ -25,7 +24,6 @@ iface {{ vpn_wireguard_iface }} inet static
     pre-down ip -6 rule del sport {{ vpn_wireguard_port }} ipproto udp table {{ vpn_wireguard_routing_table }}
     pre-down ip rule del sport {{ vpn_wireguard_port }} ipproto udp table {{ vpn_wireguard_routing_table }}
 {% endif %}
-    pre-down /usr/local/sbin/pre-down-$IFACE-ipv4.nft
     pre-down /usr/local/sbin/pre-down-$IFACE-inet.nft
 
     address {{ vpn_wireguard_address }}