Merge pull request #5711 from amorfo77/master
[Netfilter] set IP check more relaxed on NFTables.py
This commit is contained in:
commit
1926625297
@ -41,6 +41,7 @@ class NFTables:
|
|||||||
exit_code = 2
|
exit_code = 2
|
||||||
|
|
||||||
if chain_position > 0:
|
if chain_position > 0:
|
||||||
|
chain_position += 1
|
||||||
self.logger.logCrit(f'MAILCOW target is in position {chain_position} in the {filter_table} {chain} table, restarting container to fix it...')
|
self.logger.logCrit(f'MAILCOW target is in position {chain_position} in the {filter_table} {chain} table, restarting container to fix it...')
|
||||||
err = True
|
err = True
|
||||||
exit_code = 2
|
exit_code = 2
|
||||||
@ -309,8 +310,8 @@ class NFTables:
|
|||||||
rule_handle = rule["handle"]
|
rule_handle = rule["handle"]
|
||||||
break
|
break
|
||||||
|
|
||||||
dest_net = ipaddress.ip_network(source_address)
|
dest_net = ipaddress.ip_network(source_address, strict=False)
|
||||||
target_net = ipaddress.ip_network(snat_target)
|
target_net = ipaddress.ip_network(snat_target, strict=False)
|
||||||
|
|
||||||
if rule_found:
|
if rule_found:
|
||||||
saddr_ip = rule["expr"][0]["match"]["right"]["prefix"]["addr"]
|
saddr_ip = rule["expr"][0]["match"]["right"]["prefix"]["addr"]
|
||||||
@ -321,9 +322,9 @@ class NFTables:
|
|||||||
|
|
||||||
target_ip = rule["expr"][3]["snat"]["addr"]
|
target_ip = rule["expr"][3]["snat"]["addr"]
|
||||||
|
|
||||||
saddr_net = ipaddress.ip_network(saddr_ip + '/' + str(saddr_len))
|
saddr_net = ipaddress.ip_network(saddr_ip + '/' + str(saddr_len), strict=False)
|
||||||
daddr_net = ipaddress.ip_network(daddr_ip + '/' + str(daddr_len))
|
daddr_net = ipaddress.ip_network(daddr_ip + '/' + str(daddr_len), strict=False)
|
||||||
current_target_net = ipaddress.ip_network(target_ip)
|
current_target_net = ipaddress.ip_network(target_ip, strict=False)
|
||||||
|
|
||||||
match = all((
|
match = all((
|
||||||
dest_net == saddr_net,
|
dest_net == saddr_net,
|
||||||
@ -417,7 +418,7 @@ class NFTables:
|
|||||||
json_command = self.get_base_dict()
|
json_command = self.get_base_dict()
|
||||||
|
|
||||||
expr_opt = []
|
expr_opt = []
|
||||||
ipaddr_net = ipaddress.ip_network(ipaddr)
|
ipaddr_net = ipaddress.ip_network(ipaddr, strict=False)
|
||||||
right_dict = {'prefix': {'addr': str(ipaddr_net.network_address), 'len': int(ipaddr_net.prefixlen) } }
|
right_dict = {'prefix': {'addr': str(ipaddr_net.network_address), 'len': int(ipaddr_net.prefixlen) } }
|
||||||
|
|
||||||
left_dict = {'payload': {'protocol': _family, 'field': 'saddr'} }
|
left_dict = {'payload': {'protocol': _family, 'field': 'saddr'} }
|
||||||
@ -466,7 +467,7 @@ class NFTables:
|
|||||||
current_rule_net = ipaddress.ip_network(current_rule_ip)
|
current_rule_net = ipaddress.ip_network(current_rule_ip)
|
||||||
|
|
||||||
# ip to ban
|
# ip to ban
|
||||||
candidate_net = ipaddress.ip_network(ipaddr)
|
candidate_net = ipaddress.ip_network(ipaddr, strict=False)
|
||||||
|
|
||||||
if current_rule_net == candidate_net:
|
if current_rule_net == candidate_net:
|
||||||
rule_handle = _object["rule"]["handle"]
|
rule_handle = _object["rule"]["handle"]
|
||||||
|
Loading…
Reference in New Issue
Block a user