paxton
/
mailcow
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

[Netfilter] Fix table refresh and rule injection in snat loop

master
André 2018-06-29 11:25:26 +02:00
parent 73a566b25a
commit 17d3a24d89
2 changed files with 15 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
data/Dockerfiles/netfilter/server.py
View File

@ -148,15 +148,15 @@ def ban(address):
print '%d more attempts in the next %d seconds until %s is banned' % (MAX_ATTEMPTS - bans[net]['attempts'], RETRY_WINDOW, net) print '%d more attempts in the next %d seconds until %s is banned' % (MAX_ATTEMPTS - bans[net]['attempts'], RETRY_WINDOW, net)
def unban(net): def unban(net):
log['time'] = int(round(time.time())) log['time'] = int(round(time.time()))
log['priority'] = 'info' log['priority'] = 'info'
r.lpush('NETFILTER_LOG', json.dumps(log, ensure_ascii=False)) r.lpush('NETFILTER_LOG', json.dumps(log, ensure_ascii=False))
#if not net in bans: if not net in bans:
# log['message'] = '%s is not banned, skipping unban and deleting from queue (if any)' % net log['message'] = '%s is not banned, skipping unban and deleting from queue (if any)' % net
# r.lpush('NETFILTER_LOG', json.dumps(log, ensure_ascii=False)) r.lpush('NETFILTER_LOG', json.dumps(log, ensure_ascii=False))
# print '%s is not banned, skipping unban and deleting from queue (if any)' % net print '%s is not banned, skipping unban and deleting from queue (if any)' % net
# r.hdel('F2B_QUEUE_UNBAN', '%s' % net) r.hdel('F2B_QUEUE_UNBAN', '%s' % net)
# return return
log['message'] = 'Unbanning %s' % net log['message'] = 'Unbanning %s' % net
r.lpush('NETFILTER_LOG', json.dumps(log, ensure_ascii=False)) r.lpush('NETFILTER_LOG', json.dumps(log, ensure_ascii=False))
print 'Unbanning %s' % net print 'Unbanning %s' % net
@ -243,7 +243,6 @@ def watch():
def snat(snat_target): def snat(snat_target):
def get_snat_rule(): def get_snat_rule():
rule = iptc.Rule() rule = iptc.Rule()
rule.position = 1
rule.src = os.getenv('IPV4_NETWORK', '172.22.1') + '.0/24' rule.src = os.getenv('IPV4_NETWORK', '172.22.1') + '.0/24'
rule.dst = '!' + rule.src rule.dst = '!' + rule.src
target = rule.create_target("SNAT") target = rule.create_target("SNAT")
@ -252,6 +251,7 @@ def snat(snat_target):
while True: while True:
table = iptc.Table('nat') table = iptc.Table('nat')
table.refresh()
table.autocommit = False table.autocommit = False
chain = iptc.Chain(table, 'POSTROUTING') chain = iptc.Chain(table, 'POSTROUTING')
if get_snat_rule() not in chain.rules: if get_snat_rule() not in chain.rules:
@ -262,7 +262,12 @@ def snat(snat_target):
print log['message'] print log['message']
chain.insert_rule(get_snat_rule()) chain.insert_rule(get_snat_rule())
table.commit() table.commit()
table.refresh() else:
for i, rule in enumerate(chain.rules):
if rule == get_snat_rule():
if i != 0:
chain.delete_rule(get_snat_rule())
table.commit()
time.sleep(10) time.sleep(10)
def autopurge(): def autopurge():

2
docker-compose.yml
View File

@ -325,7 +325,7 @@ services:
- acme - acme
netfilter-mailcow: netfilter-mailcow:
image: mailcow/netfilter:1.13 image: mailcow/netfilter:1.14
build: ./data/Dockerfiles/netfilter build: ./data/Dockerfiles/netfilter
stop_grace_period: 30s stop_grace_period: 30s
depends_on: depends_on: