From 70e99447f95de10f68c6db8f9be89534b07edc08 Mon Sep 17 00:00:00 2001 From: Martin Wilhelmi Date: Mon, 22 Aug 2022 21:45:38 +0200 Subject: [PATCH] Fix adding same SNAT rule endless to the ipv4 POSTROUTING chain --- data/Dockerfiles/netfilter/server.py | 29 ++++++++++++++++++---------- 1 file changed, 19 insertions(+), 10 deletions(-) diff --git a/data/Dockerfiles/netfilter/server.py b/data/Dockerfiles/netfilter/server.py index f4656226..32d5d836 100644 --- a/data/Dockerfiles/netfilter/server.py +++ b/data/Dockerfiles/netfilter/server.py @@ -346,6 +346,8 @@ def snat4(snat_target): rule.dst = '!' + rule.src target = rule.create_target("SNAT") target.to_source = snat_target + match = rule.create_match("comment") + match.comment = f'{int(round(time.time()))}' return rule while not quit_now: @@ -356,16 +358,23 @@ def snat4(snat_target): table.refresh() chain = iptc.Chain(table, 'POSTROUTING') table.autocommit = False - if get_snat4_rule() not in chain.rules: - logCrit('Added POSTROUTING rule for source network %s to SNAT target %s' % (get_snat4_rule().src, snat_target)) - chain.insert_rule(get_snat4_rule()) - table.commit() - else: - for position, item in enumerate(chain.rules): - if item == get_snat4_rule(): - if position != 0: - chain.delete_rule(get_snat4_rule()) - table.commit() + new_rule = get_snat4_rule() + for position, rule in enumerate(chain.rules): + match = all(( + new_rule.get_src() == rule.get_src(), + new_rule.get_dst() == rule.get_dst(), + new_rule.target.parameters == rule.target.parameters, + new_rule.target.name == rule.target.name + )) + if position == 0: + if not match: + logInfo(f'Added POSTROUTING rule for source network {new_rule.src} to SNAT target {snat_target}') + chain.insert_rule(new_rule) + else: + if match: + logInfo(f'Remove rule for source network {new_rule.src} to SNAT target {snat_target} from POSTROUTING chain at position {position}') + chain.delete_rule(rule) + table.commit() table.autocommit = True except: print('Error running SNAT4, retrying...')