Merge pull request #5711 from amorfo77/master

[Netfilter] set IP check more relaxed on NFTables.py
mailcow · Feb 8, 2024 · 1926625 · 1926625
2 parents 63bb8e8 + eb91d99
commit 1926625
Showing 1 changed file with 8 additions and 7 deletions.
diff --git a/data/Dockerfiles/netfilter/modules/NFTables.py b/data/Dockerfiles/netfilter/modules/NFTables.py
@@ -41,6 +41,7 @@ def checkChainOrder(self, filter_table):
         exit_code = 2
 
       if chain_position > 0:
+        chain_position += 1
         self.logger.logCrit(f'MAILCOW target is in position {chain_position} in the {filter_table} {chain} table, restarting container to fix it...')
         err = True
         exit_code = 2
@@ -309,8 +310,8 @@ def snat_rule(self, _family: str, snat_target: str, source_address: str):
       rule_handle = rule["handle"]
       break
 
-    dest_net = ipaddress.ip_network(source_address)
-    target_net = ipaddress.ip_network(snat_target)
+    dest_net = ipaddress.ip_network(source_address, strict=False)
+    target_net = ipaddress.ip_network(snat_target, strict=False)
 
     if rule_found:
       saddr_ip = rule["expr"][0]["match"]["right"]["prefix"]["addr"]
@@ -321,9 +322,9 @@ def snat_rule(self, _family: str, snat_target: str, source_address: str):
 
       target_ip = rule["expr"][3]["snat"]["addr"]
 
-      saddr_net = ipaddress.ip_network(saddr_ip + '/' + str(saddr_len))
-      daddr_net = ipaddress.ip_network(daddr_ip + '/' + str(daddr_len))
-      current_target_net = ipaddress.ip_network(target_ip)
+      saddr_net = ipaddress.ip_network(saddr_ip + '/' + str(saddr_len), strict=False)
+      daddr_net = ipaddress.ip_network(daddr_ip + '/' + str(daddr_len), strict=False)
+      current_target_net = ipaddress.ip_network(target_ip, strict=False)
 
       match = all((
                 dest_net == saddr_net,
@@ -417,7 +418,7 @@ def get_ban_ip_dict(self, ipaddr: str, _family: str):
     json_command = self.get_base_dict()
 
     expr_opt = []
-    ipaddr_net = ipaddress.ip_network(ipaddr)
+    ipaddr_net = ipaddress.ip_network(ipaddr, strict=False)
     right_dict = {'prefix': {'addr': str(ipaddr_net.network_address), 'len': int(ipaddr_net.prefixlen) } }
 
     left_dict = {'payload': {'protocol': _family, 'field': 'saddr'} }
@@ -466,7 +467,7 @@ def get_unban_ip_dict(self, ipaddr:str, _family: str):
         current_rule_net = ipaddress.ip_network(current_rule_ip)
 
         # ip to ban
-        candidate_net = ipaddress.ip_network(ipaddr)
+        candidate_net = ipaddress.ip_network(ipaddr, strict=False)
 
         if current_rule_net == candidate_net:
           rule_handle = _object["rule"]["handle"]