From 5f300ad70cbbb7192f5a86795c37ed99d70ab545 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Maciej=20Kr=C3=BCger?= <mkg20001@gmail.com>
Date: Wed, 28 Dec 2022 02:52:26 +0100
Subject: [PATCH] networking/nftables: only delete our tables if flushRuleset
 is set to false

---
 nixos/modules/services/networking/nftables.nix | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/nixos/modules/services/networking/nftables.nix b/nixos/modules/services/networking/nftables.nix
index a96528f2d18..b238f09df2f 100644
--- a/nixos/modules/services/networking/nftables.nix
+++ b/nixos/modules/services/networking/nftables.nix
@@ -248,7 +248,11 @@ in
         RemainAfterExit = true;
         ExecStart = rulesScript;
         ExecReload = rulesScript;
-        ExecStop = "${pkgs.nftables}/bin/nft flush ruleset";
+        ExecStop = "${pkgs.nftables}/bin/nft ${
+          if cfg.flushRuleset then "flush ruleset"
+          else escapeShellArg (concatStringsSep "; " (
+            mapAttrsToList (_: table: "delete table ${table.family} ${table.name}") enabledTables
+          ))}";
       };
     };
   };