fix: correct POSTROUTING MASQUERADE to use destination CIDR and port

Modify InsertPostroutingMasquerade and InsertPostroutingMasqueradeInContainer functions to use destCIDR, proto, and destPort instead of sourceCIDR, proto, and sourcePort. This ensures the masquerade rule correctly targets destination traffic for proper NAT configuration.
2026-06-16 08:51:25 +02:00
parent d1c8eaef3e
commit 903bc1a7da
1 changed files with 16 additions and 16 deletions
@@ -302,24 +302,24 @@ func (m *Manager) InsertPreroutingRuleOnInterface(iface, proto, sourcePort, targ
 }

 // InsertPostroutingMasquerade inserts a MASQUERADE POSTROUTING rule on the host
-func (m *Manager) InsertPostroutingMasquerade(sourceCIDR, proto, sourcePort, comment string) error {
-	logger.Info("IPTABLES: checking POSTROUTING MASQUERADE rule: src=%s proto=%s sport=%s comment=%q",
-		sourceCIDR, proto, sourcePort, comment)
+func (m *Manager) InsertPostroutingMasquerade(destCIDR, proto, destPort, comment string) error {
+	logger.Info("IPTABLES: checking POSTROUTING MASQUERADE rule: dst=%s proto=%s dport=%s comment=%q",
+		destCIDR, proto, destPort, comment)

 	// Check if rule already exists (idempotent: don't re-apply)
-	existing := m.getLineNumbers("POSTROUTING", "nat", comment, "MASQUERADE", sourceCIDR)
+	existing := m.getLineNumbers("POSTROUTING", "nat", comment, "MASQUERADE", destCIDR)
 	if len(existing) > 0 {
 		logger.Debug("IPTABLES: POSTROUTING MASQUERADE rule already exists (lines=%v), skipping", existing)
 		return nil
 	}

-	logger.Info("IPTABLES: inserting POSTROUTING MASQUERADE rule: src=%s proto=%s sport=%s comment=%q",
-		sourceCIDR, proto, sourcePort, comment)
+	logger.Info("IPTABLES: inserting POSTROUTING MASQUERADE rule: dst=%s proto=%s dport=%s comment=%q",
+		destCIDR, proto, destPort, comment)
 	args := []string{
 		"-w", "-t", "nat", "-I", "POSTROUTING",
-		"-s", sourceCIDR,
+		"-d", destCIDR,
 		"-p", proto,
-		"--sport", sourcePort,
+		"--dport", destPort,
 		"-m", "comment", "--comment", comment,
 		"-j", "MASQUERADE",
 	}
@@ -472,9 +472,9 @@ func (m *Manager) InsertPreroutingRuleInContainer(pid int, sourceIP, proto, sour
 }

 // InsertPostroutingMasqueradeInContainer inserts a MASQUERADE POSTROUTING rule inside a container namespace
-func (m *Manager) InsertPostroutingMasqueradeInContainer(pid int, sourceCIDR, proto, sourcePort, comment string) error {
-	logger.Info("IPTABLES: inserting POSTROUTING MASQUERADE rule in container PID %d: src=%s proto=%s sport=%s comment=%q",
-		pid, sourceCIDR, proto, sourcePort, comment)
+func (m *Manager) InsertPostroutingMasqueradeInContainer(pid int, destCIDR, proto, destPort, comment string) error {
+	logger.Info("IPTABLES: inserting POSTROUTING MASQUERADE rule in container PID %d: dst=%s proto=%s dport=%s comment=%q",
+		pid, destCIDR, proto, destPort, comment)

 	// First, try to list the chain inside the container to check state
 	output, err := m.checkContainerChainExists(pid, "nat", "POSTROUTING")
@@ -488,27 +488,27 @@ func (m *Manager) InsertPostroutingMasqueradeInContainer(pid int, sourceCIDR, pr
 	for _, line := range strings.Split(output, "\n") {
 		if strings.Contains(line, "MASQUERADE") &&
 			strings.Contains(line, comment) &&
-			strings.Contains(line, sourceCIDR) {
+			strings.Contains(line, destCIDR) {
 			ruleExists = true
 			break
 		}
 	}
 	if ruleExists {
-		logger.Info("IPTABLES: POSTROUTING MASQUERADE rule already exists in container PID %d (src=%s), skipping", pid, sourceCIDR)
+		logger.Info("IPTABLES: POSTROUTING MASQUERADE rule already exists in container PID %d (dst=%s), skipping", pid, destCIDR)
 		return nil
 	}

 	// Rule doesn't exist — clean up stale/duplicate rules then insert
-	patterns := []string{"MASQUERADE", comment, sourceCIDR, sourcePort}
+	patterns := []string{"MASQUERADE", comment, destCIDR, destPort}
 	if delErr := m.deleteMatchingLinesInContainer(pid, "nat", "POSTROUTING", patterns...); delErr != nil {
 		logger.Debug("IPTABLES: stale POSTROUTING cleanup in container PID %d: %v", pid, delErr)
 	}

 	args := []string{
 		"-I", "POSTROUTING",
-		"-s", sourceCIDR,
+		"-d", destCIDR,
 		"-p", proto,
-		"--sport", sourcePort,
+		"--dport", destPort,
 		"-m", "comment", "--comment", comment,
 		"-j", "MASQUERADE",
 	}