From 4d4365cdf5139fd7cd3671b8389bae6cb7de0f3c Mon Sep 17 00:00:00 2001
From: Kevin Fenzi <kevin@scrye.com>
Date: Thu, 24 Apr 2025 13:13:52 -0700
Subject: [PATCH] nftables: add defined check for nft_nat_rules and set it also
 [] by default

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
---
 inventory/group_vars/all               | 1 +
 roles/base/templates/nftables/nftables | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/inventory/group_vars/all b/inventory/group_vars/all
index 89d9815315..abf76d9dad 100644
--- a/inventory/group_vars/all
+++ b/inventory/group_vars/all
@@ -154,6 +154,7 @@ nftables: True
 # nftables variants of custom*_rules
 nft_custom6_rules: []
 nft_custom_rules: []
+nft_nat_rules: []
 # default network block device encryption settings for linux-system-roles/nbde_client
 nbde: true
 nbde_device: /dev/md2
diff --git a/roles/base/templates/nftables/nftables b/roles/base/templates/nftables/nftables
index 765e7019fc..f6244af11a 100644
--- a/roles/base/templates/nftables/nftables
+++ b/roles/base/templates/nftables/nftables
@@ -107,7 +107,7 @@ add rule ip filter INPUT ip saddr 10.3.163.10 tcp dport {{ port }} counter accep
 add rule ip filter INPUT   counter reject with icmp type host-prohibited
 add rule ip filter FORWARD counter reject with icmp type host-prohibited
 
-{% if nft_nat_rules %}
+{% if nft_nat_rules is defined %}
 
 add table ip nat
 add chain ip nat  PREROUTING { type nat hook prerouting priority -100; policy accept; }