7x31
/
mailcow-dockerized
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

add nftables support

This commit is contained in:
amorfo77 2023-02-04 11:58:59 +01:00
parent df8775d4c9
commit 85c9606baa
6 changed files with 1130 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
data/Dockerfiles/netfilter/Dockerfile
View File

@ -1,6 +1,8 @@
FROM alpine:3.17
LABEL maintainer "Andre Peters <andre.peters@servercow.de>"
WORKDIR /app
ENV XTABLES_LIBDIR /usr/lib/xtables
ENV PYTHON_IPTABLES_XTABLES_VERSION 12
ENV IPTABLES_LIBDIR /usr/lib
@ -14,10 +16,13 @@ RUN apk add --virtual .build-deps \
iptables \
ip6tables \
xtables-addons \
nftables \
tzdata \
py3-pip \
py3-nftables \
musl-dev \
&& pip3 install --ignore-installed --upgrade pip \
jsonschema \
python-iptables \
redis \
ipaddress \
@ -26,5 +31,10 @@ RUN apk add --virtual .build-deps \
# && pip3 install --upgrade pip python-iptables==0.13.0 redis ipaddress dnspython \
COPY server.py /
CMD ["python3", "-u", "/server.py"]
COPY server.py /app/
COPY server-nft.py /app/
COPY ./netfilter.sh /app/
RUN chmod +x /app/netfilter.sh
CMD ["/bin/sh", "/app/netfilter.sh"]

11
data/Dockerfiles/netfilter/netfilter.sh Normal file
View File

@ -0,0 +1,11 @@
#!/bin/sh
server_to_use="server.py"
if [ -n "$USE_NFTABLES" ]; then
if echo "$USE_NFTABLES" | grep -Eq "^[yY]$"; then
server_to_use="server-nft.py"
fi
fi
exec python -u ${server_to_use}

1101
data/Dockerfiles/netfilter/server-nft.py Normal file
View File

File diff suppressed because it is too large Load Diff

1
data/Dockerfiles/netfilter/server.py
View File

@ -531,6 +531,7 @@ def initChain():
if __name__ == '__main__':
logInfo("Using Iptables backend")
# In case a previous session was killed without cleanup
clear()
# Reinit MAILCOW chain

1
docker-compose.yml
View File

@ -441,6 +441,7 @@ services:
- IPV6_NETWORK=${IPV6_NETWORK:-fd4d:6169:6c63:6f77::/64}
- SNAT_TO_SOURCE=${SNAT_TO_SOURCE:-n}
- SNAT6_TO_SOURCE=${SNAT6_TO_SOURCE:-n}
- USE_NFTABLES=${USE_NFTABLES:-n}
- REDIS_SLAVEOF_IP=${REDIS_SLAVEOF_IP:-}
- REDIS_SLAVEOF_PORT=${REDIS_SLAVEOF_PORT:-}
network_mode: "host"

4
generate_config.sh
View File

@ -394,6 +394,10 @@ IPV6_NETWORK=fd4d:6169:6c63:6f77::/64
#SNAT6_TO_SOURCE=
# Use this variable if you want to use Nftables instead of Iptables in the netfilter container
#USE_NFTABLES=
# Create or override an API key for the web UI
# You _must_ define API_ALLOW_FROM, which is a comma separated list of IPs
# An API key defined as API_KEY has read-write access