From a5c65deed7e42cb44649d47539dce0f0e59db931 Mon Sep 17 00:00:00 2001
From: nessi <sascha@nesterovic.cc>
Date: Wed, 18 Mar 2026 09:08:26 +0100
Subject: [PATCH] feat: replace nftables flush ruleset with targeted table
 deletion in gateway entrypoint

Remove global "flush ruleset" command from nftables configuration and add explicit "nft delete table inet nexavpn" before loading rules to avoid clearing unrelated firewall rules while ensuring clean nexavpn table state.
---
 deploy/scripts/gateway-entrypoint.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/deploy/scripts/gateway-entrypoint.sh b/deploy/scripts/gateway-entrypoint.sh
index dc48a08..a48e96b 100644
--- a/deploy/scripts/gateway-entrypoint.sh
+++ b/deploy/scripts/gateway-entrypoint.sh
@@ -104,7 +104,6 @@ EOF
   cp "${WG_GENERATED}" "${WG_CONF}"
 
   {
-    echo "flush ruleset"
     echo "table inet nexavpn {"
     echo "  chain forward {"
     echo "    type filter hook forward priority 0;"
@@ -137,6 +136,7 @@ EOF
     sysctl -w net.ipv4.ip_forward=1 >/dev/null || true
   fi
 
+  nft delete table inet nexavpn >/dev/null 2>&1 || true
   nft -f "${NFT_CONF}"
 
   if ip link show "${IFACE}" >/dev/null 2>&1; then