Merge pull request #5070 from mailcow/fix/snat

[Netfilter] Fix IPv4 Subrouting not added properly
2023-02-17 15:44:16 +01:00 · 2023-02-17 15:44:16 +01:00 · a8c61daeaf
commit a8c61daeaf
parent 7f0dd7d0d7 1a4f11209a
2 changed files with 23 additions and 16 deletions
--- a/data/Dockerfiles/netfilter/server.py
+++ b/data/Dockerfiles/netfilter/server.py
@ -359,21 +359,28 @@ def snat4(snat_target):
        chain = iptc.Chain(table, 'POSTROUTING')
        table.autocommit = False
        new_rule = get_snat4_rule()
-        for position, rule in enumerate(chain.rules):
+
-          match = all((
+        if not chain.rules:
-            new_rule.get_src() == rule.get_src(),
+          # if there are no rules in the chain, insert the new rule directly
-            new_rule.get_dst() == rule.get_dst(),
+          logInfo(f'Added POSTROUTING rule for source network {new_rule.src} to SNAT target {snat_target}')
-            new_rule.target.parameters == rule.target.parameters,
+          chain.insert_rule(new_rule)
-            new_rule.target.name == rule.target.name
+        else:
-          ))
+          for position, rule in enumerate(chain.rules):
-          if position == 0:
+            match = all((
-            if not match:
+              new_rule.get_src() == rule.get_src(),
-              logInfo(f'Added POSTROUTING rule for source network {new_rule.src} to SNAT target {snat_target}')
+              new_rule.get_dst() == rule.get_dst(),
-              chain.insert_rule(new_rule)
+              new_rule.target.parameters == rule.target.parameters,
-          else:
+              new_rule.target.name == rule.target.name
-            if match:
+            ))
-              logInfo(f'Remove rule for source network {new_rule.src} to SNAT target {snat_target} from POSTROUTING chain at position {position}')
+            if position == 0:
-              chain.delete_rule(rule)
+              if not match:
                logInfo(f'Added POSTROUTING rule for source network {new_rule.src} to SNAT target {snat_target}')
                chain.insert_rule(new_rule)
            else:
              if match:
                logInfo(f'Remove rule for source network {new_rule.src} to SNAT target {snat_target} from POSTROUTING chain at position {position}')
                chain.delete_rule(rule)
        table.commit()
        table.autocommit = True
      except:
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -425,7 +425,7 @@ services:
            - acme
    netfilter-mailcow:
-      image: mailcow/netfilter:1.50
+      image: mailcow/netfilter:1.51
      stop_grace_period: 30s
      depends_on:
        - dovecot-mailcow