Strona główna Odkrywaj Pomoc
Zaloguj się
mirrors
/
mailcow-dockerized
kopia lustrzana https://github.com/mailcow/mailcow-dockerized
2
0
Forkuj 0
Pliki Problemy 0 Wiki
Przeglądaj źródła

[Netfilter] Fix table refresh and rule injection in snat loop

André 7 lat temu
rodzic
73a566b25a
commit
17d3a24d89
2 zmienionych plików z 15 dodań i 10 usunięć
Widok podzielony Pokaż statystyki zmian
  1. 14 9
      data/Dockerfiles/netfilter/server.py
  2. 1 1
      docker-compose.yml

+ 14 - 9
data/Dockerfiles/netfilter/server.py
Wyświetl plik 

@@ -148,15 +148,15 @@ def ban(address):
 
     print '%d more attempts in the next %d seconds until %s is banned' % (MAX_ATTEMPTS - bans[net]['attempts'], RETRY_WINDOW, net)

 

 def unban(net):

-  log['time'] = int(round(time.time()))

+  log['time'] = int(round(time.time())) 

   log['priority'] = 'info'

   r.lpush('NETFILTER_LOG', json.dumps(log, ensure_ascii=False))

-  #if not net in bans:

-  #  log['message'] = '%s is not banned, skipping unban and deleting from queue (if any)' % net

-  #  r.lpush('NETFILTER_LOG', json.dumps(log, ensure_ascii=False))

-  #  print '%s is not banned, skipping unban and deleting from queue (if any)' % net

-  #  r.hdel('F2B_QUEUE_UNBAN', '%s' % net)

-  #  return

+  if not net in bans:

+   log['message'] = '%s is not banned, skipping unban and deleting from queue (if any)' % net

+   r.lpush('NETFILTER_LOG', json.dumps(log, ensure_ascii=False))

+   print '%s is not banned, skipping unban and deleting from queue (if any)' % net

+   r.hdel('F2B_QUEUE_UNBAN', '%s' % net)

+   return

   log['message'] = 'Unbanning %s' % net

   r.lpush('NETFILTER_LOG', json.dumps(log, ensure_ascii=False))

   print 'Unbanning %s' % net

@@ -243,7 +243,6 @@ def watch():
 
 def snat(snat_target):

   def get_snat_rule():

     rule = iptc.Rule()

-    rule.position = 1

     rule.src = os.getenv('IPV4_NETWORK', '172.22.1') + '.0/24'

     rule.dst = '!' + rule.src

     target = rule.create_target("SNAT")

@@ -252,6 +251,7 @@ def snat(snat_target):
 
 

   while True:

     table = iptc.Table('nat')

+    table.refresh()

     table.autocommit = False

     chain = iptc.Chain(table, 'POSTROUTING')

     if get_snat_rule() not in chain.rules:

@@ -262,7 +262,12 @@ def snat(snat_target):
 
       print log['message']

       chain.insert_rule(get_snat_rule())

       table.commit()

-      table.refresh()

+    else:

+      for i, rule in enumerate(chain.rules):

+        if rule == get_snat_rule():

+          if i != 0:

+            chain.delete_rule(get_snat_rule())

+            table.commit()

     time.sleep(10)

 

 def autopurge():

+ 1 - 1
docker-compose.yml
Wyświetl plik 

@@ -325,7 +325,7 @@ services:
 
             - acme
 
 
     netfilter-mailcow:
 
-      image: mailcow/netfilter:1.13
 
+      image: mailcow/netfilter:1.14
 
       build: ./data/Dockerfiles/netfilter
 
       stop_grace_period: 30s
 
       depends_on: