[Netfilter] Fix table refresh and rule injection in snat loop

2018-06-29 11:25:26 +02:00 · 2018-06-29 11:25:26 +02:00 · 17d3a24d89
parent 73a566b25a
commit 17d3a24d89
2 changed files with 15 additions and 10 deletions
--- a/data/Dockerfiles/netfilter/server.py
+++ b/data/Dockerfiles/netfilter/server.py
@ -148,15 +148,15 @@ def ban(address):
    print '%d more attempts in the next %d seconds until %s is banned' % (MAX_ATTEMPTS - bans[net]['attempts'], RETRY_WINDOW, net)

 def unban(net):
-  log['time'] = int(round(time.time()))
+  log['time'] = int(round(time.time())) 
  log['priority'] = 'info'
  r.lpush('NETFILTER_LOG', json.dumps(log, ensure_ascii=False))
-  #if not net in bans:
-  #  log['message'] = '%s is not banned, skipping unban and deleting from queue (if any)' % net
-  #  r.lpush('NETFILTER_LOG', json.dumps(log, ensure_ascii=False))
-  #  print '%s is not banned, skipping unban and deleting from queue (if any)' % net
-  #  r.hdel('F2B_QUEUE_UNBAN', '%s' % net)
-  #  return
+  if not net in bans:
+   log['message'] = '%s is not banned, skipping unban and deleting from queue (if any)' % net
+   r.lpush('NETFILTER_LOG', json.dumps(log, ensure_ascii=False))
+   print '%s is not banned, skipping unban and deleting from queue (if any)' % net
+   r.hdel('F2B_QUEUE_UNBAN', '%s' % net)
+   return
  log['message'] = 'Unbanning %s' % net
  r.lpush('NETFILTER_LOG', json.dumps(log, ensure_ascii=False))
  print 'Unbanning %s' % net
@ -243,7 +243,6 @@ def watch():
 def snat(snat_target):
  def get_snat_rule():
    rule = iptc.Rule()
-    rule.position = 1
    rule.src = os.getenv('IPV4_NETWORK', '172.22.1') + '.0/24'
    rule.dst = '!' + rule.src
    target = rule.create_target("SNAT")
@ -252,6 +251,7 @@ def snat(snat_target):

  while True:
    table = iptc.Table('nat')
+    table.refresh()
    table.autocommit = False
    chain = iptc.Chain(table, 'POSTROUTING')
    if get_snat_rule() not in chain.rules:
@ -262,7 +262,12 @@ def snat(snat_target):
      print log['message']
      chain.insert_rule(get_snat_rule())
      table.commit()
-      table.refresh()
+    else:
+      for i, rule in enumerate(chain.rules):
+        if rule == get_snat_rule():
+          if i != 0:
+            chain.delete_rule(get_snat_rule())
+            table.commit()
    time.sleep(10)

 def autopurge():
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -325,7 +325,7 @@ services:
            - acme

    netfilter-mailcow:
-      image: mailcow/netfilter:1.13
+      image: mailcow/netfilter:1.14
      build: ./data/Dockerfiles/netfilter
      stop_grace_period: 30s
      depends_on: