From ef4845548f9cd6836de98f21e685beb59079dbfc Mon Sep 17 00:00:00 2001
From: "Manuel Amador (Rudd-O)" <rudd-o@rudd-o.com>
Date: Tue, 20 Feb 2024 08:27:57 +0000
Subject: [PATCH] Insert custom postrouting chain before masquerade.

---
 qubes-network-server.spec       |  2 +-
 qubesroutingmanager/__init__.py | 45 ++++++++++++++++++++-------------
 2 files changed, 29 insertions(+), 18 deletions(-)

diff --git a/qubes-network-server.spec b/qubes-network-server.spec
index 2c26060..69299ed 100644
--- a/qubes-network-server.spec
+++ b/qubes-network-server.spec
@@ -3,7 +3,7 @@
 %define mybuildnumber %{?build_number}%{?!build_number:1}
 
 Name:           qubes-network-server
-Version:        0.1.1
+Version:        0.1.2
 Release:        %{mybuildnumber}%{?dist}
 Summary:        Turn your Qubes OS into a network server
 BuildArch:      noarch
diff --git a/qubesroutingmanager/__init__.py b/qubesroutingmanager/__init__.py
index 7e46176..1386230 100644
--- a/qubesroutingmanager/__init__.py
+++ b/qubesroutingmanager/__init__.py
@@ -139,15 +139,20 @@ def append_counter_at_end(
     )
 
 
-def append_rule_after(
-    address_family: ADDRESS_FAMILIES, table: str, chain: str, handle: int, *rest: str
+def _append_or_insert_rule(
+    where: Literal["add"] | Literal["insert"],
+    address_family: ADDRESS_FAMILIES,
+    table: str,
+    chain: str,
+    handle: int,
+    *rest: str,
 ) -> None:
     subprocess.check_output(
         [
             NFTABLES_CMD,
             "-n",
             "-j",
-            "add",
+            where,
             "rule",
             address_family,
             table,
@@ -160,6 +165,18 @@ def append_rule_after(
     )
 
 
+def append_rule_after(
+    address_family: ADDRESS_FAMILIES, table: str, chain: str, handle: int, *rest: str
+) -> None:
+    _append_or_insert_rule("add", address_family, table, chain, handle, *rest)
+
+
+def insert_rule_before(
+    address_family: ADDRESS_FAMILIES, table: str, chain: str, handle: int, *rest: str
+) -> None:
+    _append_or_insert_rule("insert", address_family, table, chain, handle, *rest)
+
+
 def delete_rule(
     address_family: ADDRESS_FAMILIES, table: str, chain: str, handle: int
 ) -> None:
@@ -245,31 +262,25 @@ def setup_plain_forwarding_for_address(source: str, enable: bool, family: int) -
             == ADD_FORWARD_RULE_AFTER_THIS_RULE
         )
 
-    def is_postrouting_lo_accept(rule):
+    def is_postrouting_masquerade(rule):
         return (
             rule["chain"] == postrouting_chain["name"]
-            and len(rule["expr"]) == 2
-            and rule["expr"][0].get("match", {}).get("op", "") == "=="
-            and rule["expr"][0]
-            .get("match", {})
-            .get("left", {})
-            .get("meta", {})
-            .get("key")
-            == "oif"
-            and rule["expr"][0].get("match", {}).get("right", "") == "lo"
-            and "accept" in rule["expr"][1]
+            and len(rule["expr"]) == 1
+            and "masquerade" in rule["expr"][0]
         )
 
-    for parent_chain, child_chain_name, previous_rule_detector in [
+    for parent_chain, child_chain_name, previous_rule_detector, insertor in [
         (
             forward_chain,
             ROUTING_MANAGER_CHAIN_NAME,
             is_forward_jump_to_custom_forward,
+            append_rule_after,
         ),
         (
             postrouting_chain,
             ROUTING_MANAGER_POSTROUTING_CHAIN_NAME,
-            is_postrouting_lo_accept,
+            is_postrouting_masquerade,
+            insert_rule_before,
         ),
     ]:
         jump_rule: None | Rule = None
@@ -302,7 +313,7 @@ def setup_plain_forwarding_for_address(source: str, enable: bool, family: int) -
                 child_chain_name,
                 TABLE_NAME,
             )
-            append_rule_after(
+            insertor(
                 af,
                 TABLE_NAME,
                 parent_chain["name"],