From 38cc85fa4ca08723363c7a672a36383fccf259e2 Mon Sep 17 00:00:00 2001
From: vicente <vicente@arinmedia.es>
Date: Wed, 7 Feb 2024 15:36:04 +0100
Subject: [PATCH 1/2] set strict=False

---
 data/Dockerfiles/netfilter/modules/NFTables.py | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/data/Dockerfiles/netfilter/modules/NFTables.py b/data/Dockerfiles/netfilter/modules/NFTables.py
index e8e02c47..38b31ebf 100644
--- a/data/Dockerfiles/netfilter/modules/NFTables.py
+++ b/data/Dockerfiles/netfilter/modules/NFTables.py
@@ -309,8 +309,8 @@ class NFTables:
       rule_handle = rule["handle"]
       break
 
-    dest_net = ipaddress.ip_network(source_address)
-    target_net = ipaddress.ip_network(snat_target)
+    dest_net = ipaddress.ip_network(source_address, strict=False)
+    target_net = ipaddress.ip_network(snat_target, strict=False)
 
     if rule_found:
       saddr_ip = rule["expr"][0]["match"]["right"]["prefix"]["addr"]
@@ -321,9 +321,9 @@ class NFTables:
 
       target_ip = rule["expr"][3]["snat"]["addr"]
 
-      saddr_net = ipaddress.ip_network(saddr_ip + '/' + str(saddr_len))
-      daddr_net = ipaddress.ip_network(daddr_ip + '/' + str(daddr_len))
-      current_target_net = ipaddress.ip_network(target_ip)
+      saddr_net = ipaddress.ip_network(saddr_ip + '/' + str(saddr_len), strict=False)
+      daddr_net = ipaddress.ip_network(daddr_ip + '/' + str(daddr_len), strict=False)
+      current_target_net = ipaddress.ip_network(target_ip, strict=False)
 
       match = all((
                 dest_net == saddr_net,
@@ -417,7 +417,7 @@ class NFTables:
     json_command = self.get_base_dict()
 
     expr_opt = []
-    ipaddr_net = ipaddress.ip_network(ipaddr)
+    ipaddr_net = ipaddress.ip_network(ipaddr, strict=False)
     right_dict = {'prefix': {'addr': str(ipaddr_net.network_address), 'len': int(ipaddr_net.prefixlen) } }
 
     left_dict = {'payload': {'protocol': _family, 'field': 'saddr'} }
@@ -466,7 +466,7 @@ class NFTables:
         current_rule_net = ipaddress.ip_network(current_rule_ip)
 
         # ip to ban
-        candidate_net = ipaddress.ip_network(ipaddr)
+        candidate_net = ipaddress.ip_network(ipaddr, strict=False)
 
         if current_rule_net == candidate_net:
           rule_handle = _object["rule"]["handle"]

From eb91d9905bc1f4dbdde486e635592bea4ee02726 Mon Sep 17 00:00:00 2001
From: vicente <vicente@arinmedia.es>
Date: Wed, 7 Feb 2024 15:48:49 +0100
Subject: [PATCH 2/2] fix typpo in chain order message

---
 data/Dockerfiles/netfilter/modules/NFTables.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/data/Dockerfiles/netfilter/modules/NFTables.py b/data/Dockerfiles/netfilter/modules/NFTables.py
index 38b31ebf..4cb0110a 100644
--- a/data/Dockerfiles/netfilter/modules/NFTables.py
+++ b/data/Dockerfiles/netfilter/modules/NFTables.py
@@ -41,6 +41,7 @@ class NFTables:
         exit_code = 2
 
       if chain_position > 0:
+        chain_position += 1
         self.logger.logCrit(f'MAILCOW target is in position {chain_position} in the {filter_table} {chain} table, restarting container to fix it...')
         err = True
         exit_code = 2