Merge pull request #5711 from amorfo77/master

[Netfilter] set IP check more relaxed on NFTables.py
This commit is contained in:
Niklas Meyer 2024-02-08 12:36:03 +01:00 committed by GitHub
commit 1926625297
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194

View File

@ -41,6 +41,7 @@ class NFTables:
exit_code = 2 exit_code = 2
if chain_position > 0: if chain_position > 0:
chain_position += 1
self.logger.logCrit(f'MAILCOW target is in position {chain_position} in the {filter_table} {chain} table, restarting container to fix it...') self.logger.logCrit(f'MAILCOW target is in position {chain_position} in the {filter_table} {chain} table, restarting container to fix it...')
err = True err = True
exit_code = 2 exit_code = 2
@ -309,8 +310,8 @@ class NFTables:
rule_handle = rule["handle"] rule_handle = rule["handle"]
break break
dest_net = ipaddress.ip_network(source_address) dest_net = ipaddress.ip_network(source_address, strict=False)
target_net = ipaddress.ip_network(snat_target) target_net = ipaddress.ip_network(snat_target, strict=False)
if rule_found: if rule_found:
saddr_ip = rule["expr"][0]["match"]["right"]["prefix"]["addr"] saddr_ip = rule["expr"][0]["match"]["right"]["prefix"]["addr"]
@ -321,9 +322,9 @@ class NFTables:
target_ip = rule["expr"][3]["snat"]["addr"] target_ip = rule["expr"][3]["snat"]["addr"]
saddr_net = ipaddress.ip_network(saddr_ip + '/' + str(saddr_len)) saddr_net = ipaddress.ip_network(saddr_ip + '/' + str(saddr_len), strict=False)
daddr_net = ipaddress.ip_network(daddr_ip + '/' + str(daddr_len)) daddr_net = ipaddress.ip_network(daddr_ip + '/' + str(daddr_len), strict=False)
current_target_net = ipaddress.ip_network(target_ip) current_target_net = ipaddress.ip_network(target_ip, strict=False)
match = all(( match = all((
dest_net == saddr_net, dest_net == saddr_net,
@ -417,7 +418,7 @@ class NFTables:
json_command = self.get_base_dict() json_command = self.get_base_dict()
expr_opt = [] expr_opt = []
ipaddr_net = ipaddress.ip_network(ipaddr) ipaddr_net = ipaddress.ip_network(ipaddr, strict=False)
right_dict = {'prefix': {'addr': str(ipaddr_net.network_address), 'len': int(ipaddr_net.prefixlen) } } right_dict = {'prefix': {'addr': str(ipaddr_net.network_address), 'len': int(ipaddr_net.prefixlen) } }
left_dict = {'payload': {'protocol': _family, 'field': 'saddr'} } left_dict = {'payload': {'protocol': _family, 'field': 'saddr'} }
@ -466,7 +467,7 @@ class NFTables:
current_rule_net = ipaddress.ip_network(current_rule_ip) current_rule_net = ipaddress.ip_network(current_rule_ip)
# ip to ban # ip to ban
candidate_net = ipaddress.ip_network(ipaddr) candidate_net = ipaddress.ip_network(ipaddr, strict=False)
if current_rule_net == candidate_net: if current_rule_net == candidate_net:
rule_handle = _object["rule"]["handle"] rule_handle = _object["rule"]["handle"]