From 17d3a24d8978230c393cbb339d8d1e5cfd564df4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andr=C3=A9?= <andre.peters@servercow.de>
Date: Fri, 29 Jun 2018 11:25:26 +0200
Subject: [PATCH] [Netfilter] Fix table refresh and rule injection in snat loop

---
 data/Dockerfiles/netfilter/server.py | 23 ++++++++++++++---------
 docker-compose.yml                   |  2 +-
 2 files changed, 15 insertions(+), 10 deletions(-)

diff --git a/data/Dockerfiles/netfilter/server.py b/data/Dockerfiles/netfilter/server.py
index a79fb3a1..389af120 100644
--- a/data/Dockerfiles/netfilter/server.py
+++ b/data/Dockerfiles/netfilter/server.py
@@ -148,15 +148,15 @@ def ban(address):
     print '%d more attempts in the next %d seconds until %s is banned' % (MAX_ATTEMPTS - bans[net]['attempts'], RETRY_WINDOW, net)
 
 def unban(net):
-  log['time'] = int(round(time.time()))
+  log['time'] = int(round(time.time())) 
   log['priority'] = 'info'
   r.lpush('NETFILTER_LOG', json.dumps(log, ensure_ascii=False))
-  #if not net in bans:
-  #  log['message'] = '%s is not banned, skipping unban and deleting from queue (if any)' % net
-  #  r.lpush('NETFILTER_LOG', json.dumps(log, ensure_ascii=False))
-  #  print '%s is not banned, skipping unban and deleting from queue (if any)' % net
-  #  r.hdel('F2B_QUEUE_UNBAN', '%s' % net)
-  #  return
+  if not net in bans:
+   log['message'] = '%s is not banned, skipping unban and deleting from queue (if any)' % net
+   r.lpush('NETFILTER_LOG', json.dumps(log, ensure_ascii=False))
+   print '%s is not banned, skipping unban and deleting from queue (if any)' % net
+   r.hdel('F2B_QUEUE_UNBAN', '%s' % net)
+   return
   log['message'] = 'Unbanning %s' % net
   r.lpush('NETFILTER_LOG', json.dumps(log, ensure_ascii=False))
   print 'Unbanning %s' % net
@@ -243,7 +243,6 @@ def watch():
 def snat(snat_target):
   def get_snat_rule():
     rule = iptc.Rule()
-    rule.position = 1
     rule.src = os.getenv('IPV4_NETWORK', '172.22.1') + '.0/24'
     rule.dst = '!' + rule.src
     target = rule.create_target("SNAT")
@@ -252,6 +251,7 @@ def snat(snat_target):
 
   while True:
     table = iptc.Table('nat')
+    table.refresh()
     table.autocommit = False
     chain = iptc.Chain(table, 'POSTROUTING')
     if get_snat_rule() not in chain.rules:
@@ -262,7 +262,12 @@ def snat(snat_target):
       print log['message']
       chain.insert_rule(get_snat_rule())
       table.commit()
-      table.refresh()
+    else:
+      for i, rule in enumerate(chain.rules):
+        if rule == get_snat_rule():
+          if i != 0:
+            chain.delete_rule(get_snat_rule())
+            table.commit()
     time.sleep(10)
 
 def autopurge():
diff --git a/docker-compose.yml b/docker-compose.yml
index ccab2f85..621c11ae 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -325,7 +325,7 @@ services:
             - acme
 
     netfilter-mailcow:
-      image: mailcow/netfilter:1.13
+      image: mailcow/netfilter:1.14
       build: ./data/Dockerfiles/netfilter
       stop_grace_period: 30s
       depends_on: