Fix: I discovered an issue after last Ubuntu updates at the moment of allocating port forwarding rules.

nesitor · nesitor · commit dd4cd300904a · 2025-10-30T12:28:27.000+01:00
diff --git a/src/aleph/vm/network/firewall.py b/src/aleph/vm/network/firewall.py
@@ -90,7 +90,25 @@ def get_base_chains_for_hook(hook: str, family: str = "ip") -> list:
 
 def get_table_for_hook(hook: str, family: str = "ip") -> str:
     chains = get_base_chains_for_hook(hook, family)
-    table = chains.pop()["chain"]["table"]
+    if not chains:
+        raise Exception(f"Could not find any base chain for hook '{hook}'")
+
+    # Sort by priority, lowest-to-highest
+    chains.sort(key=lambda x: x["chain"].get("prio", 0))
+
+    if hook == "prerouting":
+        # For prerouting (DNAT), we MUST use the 'nat' type hook.
+        # Filter for 'nat' type chains and pick the one with the highest priority (last in list).
+        nat_chains = [c for c in chains if c["chain"].get("type") == "nat"]
+        if not nat_chains:
+            # Fallback: maybe only the 'raw' chain exists. This will fail, but it's what the log shows.
+            logger.warning(f"No 'nat' type prerouting chain found. Falling back to highest prio chain.")
+            table = chains[-1]["chain"]["table"]
+        else:
+            table = nat_chains[-1]["chain"]["table"] # Pick highest prio 'nat' chain
+    else:
+        # For forward/postrouting, use the lowest priority (earliest)
+        table = chains[0]["chain"]["table"]
     return table
 
 
@@ -230,9 +248,21 @@ def initialize_nftables() -> None:
             new_chain = {"chain": chain}
             commands.append({"add": new_chain})
             chains.append(new_chain)
-        # If multiple base chain for the hook, use the less priority one
+
+        # Sort by priority, lowest-to-highest
         chains.sort(key=lambda x: x["chain"]["prio"])
-        base_chains[hook] = chains[0]["chain"]
+
+        if hook == "prerouting":
+            # For prerouting, we MUST use the 'nat' type hook which has a higher priority than the 'raw' hook,
+            # We filter for 'nat' type, and if multiple, pick the one with highest priority (last in list).
+            nat_chains = [c for c in chains if c["chain"].get("type") == "nat"]
+            if not nat_chains:
+                raise Exception("Failed to find or create a 'nat' type prerouting chain")
+            base_chains[hook] = nat_chains[-1]["chain"] # Pick highest prio 'nat' chain
+        else:
+            # For other hooks (forward, postrouting), use the original logic:
+            # the one with the lowest priority (earliest).
+            base_chains[hook] = chains[0]["chain"]
 
     # Add chain aleph-supervisor-nat
     commands += add_entity_if_not_present(
