Endless loop

[exander77]

I have 50 rules and once it processes the last it loops back again:

2025-02-28T12:49:06+01:00 INF create.go:91 > ufw-docker-automated: Adding inbound rule: /usr/bin/sudo ufw route allow proto tcp from 0.0.0.0/0 to 192.168.80.7 port 22048 comment cme-php-1:0ac5d3c384dc
2025-02-28T12:49:06+01:00 INF create.go:101 > ufw: Skipping adding existing rule

2025-02-28T12:49:06+01:00 INF create.go:91 > ufw-docker-automated: Adding inbound rule: /usr/bin/sudo ufw route allow proto tcp from 0.0.0.0/0 to 192.168.80.7 port 22049 comment cme-php-1:0ac5d3c384dc
2025-02-28T12:49:06+01:00 INF create.go:101 > ufw: Skipping adding existing rule

2025-02-28T12:49:06+01:00 INF create.go:91 > ufw-docker-automated: Adding inbound rule: /usr/bin/sudo ufw route allow proto tcp from 0.0.0.0/0 to 192.168.80.7 port 22050 comment cme-php-1:0ac5d3c384dc
2025-02-28T12:49:07+01:00 INF create.go:101 > ufw: Skipping adding existing rule

2025-02-28T12:49:07+01:00 INF create.go:91 > ufw-docker-automated: Adding inbound rule: /usr/bin/sudo ufw route allow proto tcp from 0.0.0.0/0 to 192.168.80.7 port 22000 comment cme-php-1:0ac5d3c384dc
2025-02-28T12:49:07+01:00 INF create.go:101 > ufw: Skipping adding existing rule

2025-02-28T12:49:07+01:00 INF create.go:91 > ufw-docker-automated: Adding inbound rule: /usr/bin/sudo ufw route allow proto tcp from 0.0.0.0/0 to 192.168.80.7 port 22001 comment cme-php-1:0ac5d3c384dc
2025-02-28T12:49:07+01:00 INF create.go:101 > ufw: Skipping adding existing rule

      UFW_MANAGED: 'TRUE'
      UFW_ALLOW_FROM: '0.0.0.0/0-22000;0.0.0.0/0-22001;0.0.0.0/0-22002;0.0.0.0/0-22003;0.0.0.0/0-22004;0.0.0.0/0-22005;0.0.0.0/0-22006;0.0.0.0/0-22007;0.0.0.0/0-22008;0.0.0.0/0-22009;0.0.0.0/0-22010;0.0.0.0/0-22011;0.0.0.0/0-22012;0.0.0.0/0-22013;0.0.0.0/0-22014;0.0.0.0/0-22015;0.0.0.0/0-22016;0.0.0.0/0-22017;0.0.0.0/0-22018;0.0.0.0/0-22019;0.0.0.0/0-22020;0.0.0.0/0-22021;0.0.0.0/0-22022;0.0.0.0/0-22023;0.0.0.0/0-22024;0.0.0.0/0-22025;0.0.0.0/0-22026;0.0.0.0/0-22027;0.0.0.0/0-22028;0.0.0.0/0-22029;0.0.0.0/0-22030;0.0.0.0/0-22031;0.0.0.0/0-22032;0.0.0.0/0-22033;0.0.0.0/0-22034;0.0.0.0/0-22035;0.0.0.0/0-22036;0.0.0.0/0-22037;0.0.0.0/0-22038;0.0.0.0/0-22039;0.0.0.0/0-22040;0.0.0.0/0-22041;0.0.0.0/0-22042;0.0.0.0/0-22043;0.0.0.0/0-22044;0.0.0.0/0-22045;0.0.0.0/0-22046;0.0.0.0/0-22047;0.0.0.0/0-22048;0.0.0.0/0-22049;0.0.0.0/0-22050'

What is the issue?

[exander77]

It is caused by looping over all container ports and adding rules for each port in the string every time. If I map 50 ports, it do rules for fifty ports, it tries to to add 50x50 rules adding the same rules again and again.

[exander77]

+                       containerPort := port.Port()
 			// List is non empty if port is published
 			if len(portMaps) > 0 {
 				ufwRules := []UfwRule{}
 				if container.Config.Labels["UFW_ALLOW_FROM"] != "" {
 					ufwAllowFromLabelParsed := strings.Split(container.Config.Labels["UFW_ALLOW_FROM"], ";")
@@ -64,10 +65,14 @@ func CreateUfwRule(ch <-chan *types.ContainerJSON, c *cache.Cache) {
 							}
 						}
 
 						// Example: 172.10.5.0-LAN or 172.10.5.0-80
 						if len(ip) == 2 {
+                                                       labelPort := ip[1]
+                                                       if (labelPort != containerPort) {
+                                                               continue
+                                                       }

[exander77]

But better way would be to rework it to process the UFW_ALLOW_FROM only once and then apply for ports.

[shinebayar-g]

True. The software definitely could benefit from some improvement.

[exander77]

@shinebayar-g Do you accept pull requests? I had to fix it for myself, as my 50 ports cause 2500 ufw rules being applied and totally spams my syslog.

[shinebayar-g]

Yeah for sure