From 903bc1a7daf2b9bac1635b8faaddbd4f7fb0fd41 Mon Sep 17 00:00:00 2001 From: gyurix Date: Tue, 16 Jun 2026 08:51:25 +0200 Subject: [PATCH] fix: correct POSTROUTING MASQUERADE to use destination CIDR and port Modify InsertPostroutingMasquerade and InsertPostroutingMasqueradeInContainer functions to use destCIDR, proto, and destPort instead of sourceCIDR, proto, and sourcePort. This ensures the masquerade rule correctly targets destination traffic for proper NAT configuration. --- network-go/iptables/iptables.go | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/network-go/iptables/iptables.go b/network-go/iptables/iptables.go index db01aab..2f66078 100644 --- a/network-go/iptables/iptables.go +++ b/network-go/iptables/iptables.go @@ -302,24 +302,24 @@ func (m *Manager) InsertPreroutingRuleOnInterface(iface, proto, sourcePort, targ } // InsertPostroutingMasquerade inserts a MASQUERADE POSTROUTING rule on the host -func (m *Manager) InsertPostroutingMasquerade(sourceCIDR, proto, sourcePort, comment string) error { - logger.Info("IPTABLES: checking POSTROUTING MASQUERADE rule: src=%s proto=%s sport=%s comment=%q", - sourceCIDR, proto, sourcePort, comment) +func (m *Manager) InsertPostroutingMasquerade(destCIDR, proto, destPort, comment string) error { + logger.Info("IPTABLES: checking POSTROUTING MASQUERADE rule: dst=%s proto=%s dport=%s comment=%q", + destCIDR, proto, destPort, comment) // Check if rule already exists (idempotent: don't re-apply) - existing := m.getLineNumbers("POSTROUTING", "nat", comment, "MASQUERADE", sourceCIDR) + existing := m.getLineNumbers("POSTROUTING", "nat", comment, "MASQUERADE", destCIDR) if len(existing) > 0 { logger.Debug("IPTABLES: POSTROUTING MASQUERADE rule already exists (lines=%v), skipping", existing) return nil } - logger.Info("IPTABLES: inserting POSTROUTING MASQUERADE rule: src=%s proto=%s sport=%s comment=%q", - sourceCIDR, proto, sourcePort, comment) + logger.Info("IPTABLES: inserting POSTROUTING MASQUERADE rule: dst=%s proto=%s dport=%s comment=%q", + destCIDR, proto, destPort, comment) args := []string{ "-w", "-t", "nat", "-I", "POSTROUTING", - "-s", sourceCIDR, + "-d", destCIDR, "-p", proto, - "--sport", sourcePort, + "--dport", destPort, "-m", "comment", "--comment", comment, "-j", "MASQUERADE", } @@ -472,9 +472,9 @@ func (m *Manager) InsertPreroutingRuleInContainer(pid int, sourceIP, proto, sour } // InsertPostroutingMasqueradeInContainer inserts a MASQUERADE POSTROUTING rule inside a container namespace -func (m *Manager) InsertPostroutingMasqueradeInContainer(pid int, sourceCIDR, proto, sourcePort, comment string) error { - logger.Info("IPTABLES: inserting POSTROUTING MASQUERADE rule in container PID %d: src=%s proto=%s sport=%s comment=%q", - pid, sourceCIDR, proto, sourcePort, comment) +func (m *Manager) InsertPostroutingMasqueradeInContainer(pid int, destCIDR, proto, destPort, comment string) error { + logger.Info("IPTABLES: inserting POSTROUTING MASQUERADE rule in container PID %d: dst=%s proto=%s dport=%s comment=%q", + pid, destCIDR, proto, destPort, comment) // First, try to list the chain inside the container to check state output, err := m.checkContainerChainExists(pid, "nat", "POSTROUTING") @@ -488,27 +488,27 @@ func (m *Manager) InsertPostroutingMasqueradeInContainer(pid int, sourceCIDR, pr for _, line := range strings.Split(output, "\n") { if strings.Contains(line, "MASQUERADE") && strings.Contains(line, comment) && - strings.Contains(line, sourceCIDR) { + strings.Contains(line, destCIDR) { ruleExists = true break } } if ruleExists { - logger.Info("IPTABLES: POSTROUTING MASQUERADE rule already exists in container PID %d (src=%s), skipping", pid, sourceCIDR) + logger.Info("IPTABLES: POSTROUTING MASQUERADE rule already exists in container PID %d (dst=%s), skipping", pid, destCIDR) return nil } // Rule doesn't exist — clean up stale/duplicate rules then insert - patterns := []string{"MASQUERADE", comment, sourceCIDR, sourcePort} + patterns := []string{"MASQUERADE", comment, destCIDR, destPort} if delErr := m.deleteMatchingLinesInContainer(pid, "nat", "POSTROUTING", patterns...); delErr != nil { logger.Debug("IPTABLES: stale POSTROUTING cleanup in container PID %d: %v", pid, delErr) } args := []string{ "-I", "POSTROUTING", - "-s", sourceCIDR, + "-d", destCIDR, "-p", proto, - "--sport", sourcePort, + "--dport", destPort, "-m", "comment", "--comment", comment, "-j", "MASQUERADE", }