watchdog (unbound): nagios check_dns plugin SEGFAULT

Contribution guidelines

[X] I've read the contribution guidelines and wholeheartedly agree

I've found a bug and checked that ...

[X] ... I understand that not following the below instructions will result in immediate closure and/or deletion of my issue.
[X] ... I have understood that this bug report is dedicated for bugs, and not for support-related inquiries.
[X] ... I have understood that answers are voluntary and community-driven, and not commercial support.
[X] ... I have verified that my issue has not been already answered in the past. I also checked previous issues.

Description

Ever since my last mailcow update, watchdog has been spitting out alerts about unbound-mailcow. After investigating these today, it seems like `/usr/lib/nagios/plugins/check_dns` is at fault: It reliably segfaults on every single call.

Logs:

[root@mail ~]# docker logs $(docker ps -qf name=watchdog-mailcow) -n 100
DNSSEC check succeeded
DNSSEC check succeeded
DNSSEC check succeeded
DNSSEC check succeeded
DNSSEC check succeeded
DNSSEC check succeeded
DNSSEC check succeeded
DNSSEC check succeeded
DNSSEC check succeeded
DNSSEC check succeeded
DNSSEC check succeeded
DNSSEC check succeeded
DNSSEC check succeeded
DNSSEC check succeeded
DNSSEC check succeeded
DNSSEC check succeeded
DNSSEC check succeeded
DNSSEC check succeeded
DNSSEC check succeeded
DNSSEC check succeeded
DNSSEC check succeeded
DNSSEC check succeeded
DNSSEC check succeeded
DNSSEC check succeeded
DNSSEC check succeeded
DNSSEC check succeeded
DNSSEC check succeeded
DNSSEC check succeeded
DNSSEC check succeeded
DNSSEC check succeeded
DNSSEC check succeeded
DNSSEC check succeeded
DNSSEC check succeeded
DNSSEC check succeeded
DNSSEC check succeeded
DNSSEC check succeeded
DNSSEC check succeeded
DNSSEC check succeeded
DNSSEC check succeeded
DNSSEC check succeeded
DNSSEC check succeeded
DNSSEC check succeeded
DNSSEC check succeeded
Thu Mar 9 09:13:55 CET 2023 Container is running for less than 360 seconds, skipping action...
Thu Mar 9 09:13:55 CET 2023 Fail2ban health level: 100% (1/1), health trend: 0
Thu Mar 9 09:13:55 CET 2023 SOGo health level: 100% (3/3), health trend: 0
Thu Mar 9 09:13:55 CET 2023 Unbound health level: 0% (0/5), health trend: -139
Thu Mar 9 09:13:56 CET 2023 Dovecot health level: 100% (12/12), health trend: 0
Thu Mar 9 09:13:56 CET 2023 Unbound hit error limit
DNSSEC check succeeded
DNSSEC check succeeded
DNSSEC check succeeded
DNSSEC check succeeded
DNSSEC check succeeded
DNSSEC check succeeded
DNSSEC check succeeded
DNSSEC check succeeded
DNSSEC check succeeded
DNSSEC check succeeded
DNSSEC check succeeded
DNSSEC check succeeded
DNSSEC check succeeded
DNSSEC check succeeded
DNSSEC check succeeded
DNSSEC check succeeded
DNSSEC check succeeded
DNSSEC check succeeded
DNSSEC check succeeded
DNSSEC check succeeded
DNSSEC check succeeded
DNSSEC check succeeded
DNSSEC check succeeded
DNSSEC check succeeded
DNSSEC check succeeded
DNSSEC check succeeded
DNSSEC check succeeded
DNSSEC check succeeded
DNSSEC check succeeded
DNSSEC check succeeded
DNSSEC check succeeded
DNSSEC check succeeded
DNSSEC check succeeded
DNSSEC check succeeded
DNSSEC check succeeded
DNSSEC check succeeded
DNSSEC check succeeded
DNSSEC check succeeded
DNSSEC check succeeded
DNSSEC check succeeded
DNSSEC check succeeded
DNSSEC check succeeded
DNSSEC check succeeded
DNSSEC check succeeded
DNSSEC check succeeded
DNSSEC check succeeded
DNSSEC check succeeded
DNSSEC check succeeded
DNSSEC check succeeded
DNSSEC check succeeded
DNSSEC check succeeded

Steps to reproduce:

1. `[root@mail ~]# docker exec -it $(docker ps -qf name=watchdog-mailcow) bash`
2. `0e9cd66e80ae:/# /usr/lib/nagios/plugins/check_dns -H stackoverflow.com -s 172.22.1.254
Segmentation fault (core dumped)`

Which branch are you using?

master

Operating System:

Arch

Server/VM specifications:

2GB RAM, 2 Cores

Is Apparmor, SELinux or similar active?

Virtualization technology:

KVM

Docker version:

23.0.1

docker-compose version or docker compose version:

2.16.0

mailcow version:

2023-03

Reverse proxy:

nginx

Logs of git diff:

diff --git a/docker-compose.yml b/docker-compose.yml
index 40d22ce0..f80ba22e 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -57,23 +57,23 @@ services:
           aliases:
             - redis

-    clamd-mailcow:
-      image: mailcow/clamd:1.61
-      restart: always
-      depends_on:
-        - unbound-mailcow
-      dns:
-        - ${IPV4_NETWORK:-172.22.1}.254
-      environment:
-        - TZ=${TZ}
-        - SKIP_CLAMD=${SKIP_CLAMD:-n}
-      volumes:
-        - ./data/conf/clamav/:/etc/clamav/:Z
-        - clamd-db-vol-1:/var/lib/clamav
-      networks:
-        mailcow-network:
-          aliases:
-            - clamd
+#    clamd-mailcow:
+#      image: mailcow/clamd:1.61
+#      restart: always
+#      depends_on:
+#        - unbound-mailcow
+#      dns:
+#        - ${IPV4_NETWORK:-172.22.1}.254
+#      environment:
+#        - TZ=${TZ}
+#        - SKIP_CLAMD=${SKIP_CLAMD:-n}
+#      volumes:
+#        - ./data/conf/clamav/:/etc/clamav/:Z
+#        - clamd-db-vol-1:/var/lib/clamav
+#      networks:
+#        mailcow-network:
+#          aliases:
+#            - clamd

     rspamd-mailcow:
       image: mailcow/rspamd:1.92
@@ -280,8 +280,8 @@ services:
         ofelia.job-exec.dovecot_maildir_gc.command: "/bin/bash -c \"source /source_env.sh ; /usr/local/bin/gosu vmail /usr/local/bin/maildir_gc.sh\""
         ofelia.job-exec.dovecot_sarules.schedule: "@every 24h"
         ofelia.job-exec.dovecot_sarules.command: "/bin/bash -c \"/usr/local/bin/sa-rules.sh\""
-        ofelia.job-exec.dovecot_fts.schedule: "@every 24h"
-        ofelia.job-exec.dovecot_fts.command: "/usr/bin/curl http://solr:8983/solr/dovecot-fts/update?optimize=true"
+        #ofelia.job-exec.dovecot_fts.schedule: "@every 24h"
+        #ofelia.job-exec.dovecot_fts.command: "/usr/bin/curl http://solr:8983/solr/dovecot-fts/update?optimize=true"
         ofelia.job-exec.dovecot_repl_health.schedule: "@every 5m"
         ofelia.job-exec.dovecot_repl_health.command: "/bin/bash -c \"/usr/local/bin/gosu vmail /usr/local/bin/repl_health.sh\""
       ulimits:
@@ -528,21 +528,21 @@ services:
           aliases:
             - dockerapi

-    solr-mailcow:
-      image: mailcow/solr:1.8.1
-      restart: always
-      volumes:
-        - solr-vol-1:/opt/solr/server/solr/dovecot-fts/data
-      ports:
-        - "${SOLR_PORT:-127.0.0.1:18983}:8983"
-      environment:
-        - TZ=${TZ}
-        - SOLR_HEAP=${SOLR_HEAP:-1024}
-        - SKIP_SOLR=${SKIP_SOLR:-y}
-      networks:
-        mailcow-network:
-          aliases:
-            - solr
+#    solr-mailcow:
+#      image: mailcow/solr:1.8.1
+#      restart: always
+#      volumes:
+#        - solr-vol-1:/opt/solr/server/solr/dovecot-fts/data
+#      ports:
+#        - "${SOLR_PORT:-127.0.0.1:18983}:8983"
+#      environment:
+#        - TZ=${TZ}
+#        - SOLR_HEAP=${SOLR_HEAP:-1024}
+#        - SKIP_SOLR=${SKIP_SOLR:-y}
+#      networks:
+#        mailcow-network:
+#          aliases:
+#            - solr

     olefy-mailcow:
       image: mailcow/olefy:1.11
@@ -587,7 +587,7 @@ services:
         - unbound-mailcow
         - mysql-mailcow
         - redis-mailcow
-        - clamd-mailcow
+#        - clamd-mailcow
         - rspamd-mailcow
         - php-fpm-mailcow
         - sogo-mailcow
@@ -599,7 +599,7 @@ services:
         - netfilter-mailcow
         - watchdog-mailcow
         - dockerapi-mailcow
-        - solr-mailcow
+#        - solr-mailcow
       environment:
         - TZ=${TZ}
       image: robbertkl/ipv6nat
@@ -631,9 +631,9 @@ volumes:
   mysql-socket-vol-1:
   redis-vol-1:
   rspamd-vol-1:
-  solr-vol-1:
+#  solr-vol-1:
   postfix-vol-1:
   crypt-vol-1:
   sogo-web-vol-1:
   sogo-userdata-backup-vol-1:
-  clamd-db-vol-1:
+#  clamd-db-vol-1

Logs of iptables -L -vn:

Chain INPUT (policy DROP 175 packets, 9151 bytes)
 pkts bytes target     prot opt in     out     source               destination         
29379 5895K MAILCOW    0    --  *      *       0.0.0.0/0            0.0.0.0/0           
30272 5994K ufw-before-logging-input  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
30272 5994K ufw-before-input  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
  184  9535 ufw-after-input  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
  182  9431 ufw-after-logging-input  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
  182  9431 ufw-reject-input  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
  182  9431 ufw-track-input  0    --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 106K   53M MAILCOW    0    --  *      *       0.0.0.0/0            0.0.0.0/0           
 107K   54M DOCKER-USER  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
 107K   54M DOCKER-ISOLATION-STAGE-1  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     0    --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     0    --  *      docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     0    --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     0    --  docker0 docker0  0.0.0.0/0            0.0.0.0/0           
  229  9816 ACCEPT     0    --  *      br-be98f442de62  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
   30  1728 DOCKER     0    --  *      br-be98f442de62  0.0.0.0/0            0.0.0.0/0           
  244 14027 ACCEPT     0    --  br-be98f442de62 !br-be98f442de62  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     0    --  br-be98f442de62 br-be98f442de62  0.0.0.0/0            0.0.0.0/0           
27335   15M ACCEPT     0    --  *      br-6e511a439176  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     0    --  *      br-6e511a439176  0.0.0.0/0            0.0.0.0/0           
31099 4508K ACCEPT     0    --  br-6e511a439176 !br-6e511a439176  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     0    --  br-6e511a439176 br-6e511a439176  0.0.0.0/0            0.0.0.0/0           
39098   33M ACCEPT     0    --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
 3445  218K DOCKER     0    --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0           
 5128  776K ACCEPT     0    --  br-mailcow !br-mailcow  0.0.0.0/0            0.0.0.0/0           
 3326  211K ACCEPT     0    --  br-mailcow br-mailcow  0.0.0.0/0            0.0.0.0/0           
    0     0 ufw-before-logging-forward  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ufw-before-forward  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ufw-after-forward  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ufw-after-logging-forward  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ufw-reject-forward  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ufw-track-forward  0    --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
36613 6751K ufw-before-logging-output  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
36613 6751K ufw-before-output  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
 7812  714K ufw-after-output  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
 7812  714K ufw-after-logging-output  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
 7812  714K ufw-reject-output  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
 7812  714K ufw-track-output  0    --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain DOCKER (4 references)
 pkts bytes target     prot opt in     out     source               destination         
   29  1680 ACCEPT     6    --  !br-be98f442de62 br-be98f442de62  0.0.0.0/0            172.18.0.2           tcp dpt:2222
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.3           tcp dpt:3306
    2   104 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.253         tcp dpt:587
    4   240 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.253         tcp dpt:465
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:12345
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:4190
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.249         tcp dpt:6379
   29  1740 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.253         tcp dpt:25
   48  2844 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.11          tcp dpt:443
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:995
    9   500 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.11          tcp dpt:80
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:993
   27  1620 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:143
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:110

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER-ISOLATION-STAGE-2  0    --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
  244 14027 DOCKER-ISOLATION-STAGE-2  0    --  br-be98f442de62 !br-be98f442de62  0.0.0.0/0            0.0.0.0/0           
31099 4508K DOCKER-ISOLATION-STAGE-2  0    --  br-6e511a439176 !br-6e511a439176  0.0.0.0/0            0.0.0.0/0           
 5128  776K DOCKER-ISOLATION-STAGE-2  0    --  br-mailcow !br-mailcow  0.0.0.0/0            0.0.0.0/0           
 107K   54M RETURN     0    --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-ISOLATION-STAGE-2 (4 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       0    --  *      docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       0    --  *      br-be98f442de62  0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       0    --  *      br-6e511a439176  0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       0    --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0           
36471 5298K RETURN     0    --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 107K   54M RETURN     0    --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain MAILCOW (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     0    --  *      *       93.177.75.0/24       0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     0    --  *      *       5.34.207.0/24        0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     0    --  *      *       45.66.230.0/24       0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     0    --  *      *       87.246.7.0/24        0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     0    --  *      *       141.98.11.0/24       0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     0    --  *      *       5.253.204.0/24       0.0.0.0/0            reject-with icmp-port-unreachable
   91  5460 REJECT     0    --  *      *       46.148.40.0/24       0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     0    --  *      *       93.177.73.0/24       0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     0    --  *      *       185.232.21.0/24      0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     0    --  *      *       141.98.10.0/24       0.0.0.0/0            reject-with icmp-port-unreachable

Chain ufw-after-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-after-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ufw-skip-to-policy-input  17   --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:137
    0     0 ufw-skip-to-policy-input  17   --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:138
    0     0 ufw-skip-to-policy-input  6    --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:139
    2   104 ufw-skip-to-policy-input  6    --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:445
    0     0 ufw-skip-to-policy-input  17   --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:67
    0     0 ufw-skip-to-policy-input  17   --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:68
    0     0 ufw-skip-to-policy-input  0    --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type BROADCAST

Chain ufw-after-logging-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-after-logging-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-after-logging-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-after-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     1    --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 3
    0     0 ACCEPT     1    --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 11
    0     0 ACCEPT     1    --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 12
    0     0 ACCEPT     1    --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
    0     0 ufw-user-forward  0    --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ufw-before-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 6995  648K ACCEPT     0    --  lo     *       0.0.0.0/0            0.0.0.0/0           
23003 5330K ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    2    96 ufw-logging-deny  0    --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
    2    96 DROP       0    --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
    0     0 ACCEPT     1    --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 3
    0     0 ACCEPT     1    --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 11
    0     0 ACCEPT     1    --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 12
   29  2226 ACCEPT     1    --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
    0     0 ACCEPT     17   --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:67 dpt:68
  243 13319 ufw-not-local  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     17   --  *      *       0.0.0.0/0            224.0.0.251          udp dpt:5353
    0     0 ACCEPT     17   --  *      *       0.0.0.0/0            239.255.255.250      udp dpt:1900
  243 13319 ufw-user-input  0    --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ufw-before-logging-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-logging-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-logging-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 6995  648K ACCEPT     0    --  *      lo      0.0.0.0/0            0.0.0.0/0           
21806 5388K ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
 7812  714K ufw-user-output  0    --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ufw-logging-allow (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-logging-deny (2 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-not-local (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  243 13319 RETURN     0    --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL
    0     0 RETURN     0    --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type MULTICAST
    0     0 RETURN     0    --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type BROADCAST
    0     0 ufw-logging-deny  0    --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10
    0     0 DROP       0    --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ufw-reject-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-reject-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-reject-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-skip-to-policy-forward (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ufw-skip-to-policy-input (7 references)
 pkts bytes target     prot opt in     out     source               destination         
    2   104 DROP       0    --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ufw-skip-to-policy-output (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ufw-track-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     6    --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW
    0     0 ACCEPT     17   --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW

Chain ufw-track-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-track-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  262 15728 ACCEPT     6    --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW
 7542  698K ACCEPT     17   --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW

Chain ufw-user-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-user-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    4   204 ACCEPT     6    --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
    0     0 ACCEPT     6    --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:25
    0     0 ACCEPT     6    --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
    0     0 ACCEPT     6    --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:110
    1    60 ACCEPT     6    --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:143
    1    60 ACCEPT     6    --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443
    3   180 ACCEPT     6    --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:465
    0     0 ACCEPT     6    --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:587
    0     0 ACCEPT     6    --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:993
    0     0 ACCEPT     6    --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:995
    0     0 ACCEPT     6    --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:4190
   36  2160 ACCEPT     6    --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:38367
    4   600 ACCEPT     17   --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:61065
   10   520 ACCEPT     0    --  wg0    *       0.0.0.0/0            0.0.0.0/0           

Chain ufw-user-limit (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     0    --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain ufw-user-limit-accept (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ufw-user-logging-forward (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     0    --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ufw-user-logging-input (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     0    --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ufw-user-logging-output (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     0    --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ufw-user-output (1 references)
 pkts bytes target     prot opt in     out     source               destination

Logs of ip6tables -L -vn:

Chain INPUT (policy DROP 3 packets, 184 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  437 34955 MAILCOW    0    --  *      *       ::/0                 ::/0                
  641 52504 ufw6-before-logging-input  0    --  *      *       ::/0                 ::/0                
  641 52504 ufw6-before-input  0    --  *      *       ::/0                 ::/0                
    3   184 ufw6-after-input  0    --  *      *       ::/0                 ::/0                
    3   184 ufw6-after-logging-input  0    --  *      *       ::/0                 ::/0                
    3   184 ufw6-reject-input  0    --  *      *       ::/0                 ::/0                
    3   184 ufw6-track-input  0    --  *      *       ::/0                 ::/0                

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
10834 8612K MAILCOW    0    --  *      *       ::/0                 ::/0                
12310 8750K DOCKER-USER  0    --  *      *       ::/0                 ::/0                
12310 8750K DOCKER-ISOLATION-STAGE-1  0    --  *      *       ::/0                 ::/0                
 9612 8442K DOCKER     0    --  *      br-mailcow  ::/0                 ::/0                
 6297 8218K ACCEPT     0    --  *      br-mailcow  ::/0                 ::/0                 ctstate RELATED,ESTABLISHED
 1602  221K ACCEPT     0    --  br-mailcow !br-mailcow  ::/0                 ::/0                
 3078  199K ACCEPT     0    --  br-mailcow br-mailcow  ::/0                 ::/0                
    0     0 DOCKER     0    --  *      docker0  ::/0                 ::/0                
    0     0 ACCEPT     0    --  *      docker0  ::/0                 ::/0                 ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     0    --  docker0 !docker0  ::/0                 ::/0                
    0     0 ACCEPT     0    --  docker0 docker0  ::/0                 ::/0                
 1096 86544 ufw6-before-logging-forward  0    --  *      *       ::/0                 ::/0                
 1096 86544 ufw6-before-forward  0    --  *      *       ::/0                 ::/0                
 1093 86364 ufw6-after-forward  0    --  *      *       ::/0                 ::/0                
 1093 86364 ufw6-after-logging-forward  0    --  *      *       ::/0                 ::/0                
 1093 86364 ufw6-reject-forward  0    --  *      *       ::/0                 ::/0                
 1093 86364 ufw6-track-forward  0    --  *      *       ::/0                 ::/0                

Chain OUTPUT (policy ACCEPT 6 packets, 576 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  642 56012 ufw6-before-logging-output  0    --  *      *       ::/0                 ::/0                
  642 56012 ufw6-before-output  0    --  *      *       ::/0                 ::/0                
  255 24280 ufw6-after-output  0    --  *      *       ::/0                 ::/0                
  255 24280 ufw6-after-logging-output  0    --  *      *       ::/0                 ::/0                
  255 24280 ufw6-reject-output  0    --  *      *       ::/0                 ::/0                
  255 24280 ufw6-track-output  0    --  *      *       ::/0                 ::/0                

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::5  tcp dpt:587
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::5  tcp dpt:25
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::5  tcp dpt:465
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::b  tcp dpt:110
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::b  tcp dpt:143
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::b  tcp dpt:4190
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::b  tcp dpt:993
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::b  tcp dpt:995
  237 25696 ACCEPT     6    --  !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::10  tcp dpt:443
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::10  tcp dpt:80

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER-ISOLATION-STAGE-2  0    --  docker0 !docker0  ::/0                 ::/0                
 1592  220K DOCKER-ISOLATION-STAGE-2  0    --  br-mailcow !br-mailcow  ::/0                 ::/0                
12310 8750K RETURN     0    --  *      *       ::/0                 ::/0                

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       0    --  *      docker0  ::/0                 ::/0                
    0     0 DROP       0    --  *      br-mailcow  ::/0                 ::/0                
 1592  220K RETURN     0    --  *      *       ::/0                 ::/0                

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination         
12310 8750K RETURN     0    --  *      *       ::/0                 ::/0                

Chain MAILCOW (2 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw6-after-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw6-after-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ufw6-skip-to-policy-input  17   --  *      *       ::/0                 ::/0                 udp dpt:137
    0     0 ufw6-skip-to-policy-input  17   --  *      *       ::/0                 ::/0                 udp dpt:138
    0     0 ufw6-skip-to-policy-input  6    --  *      *       ::/0                 ::/0                 tcp dpt:139
    0     0 ufw6-skip-to-policy-input  6    --  *      *       ::/0                 ::/0                 tcp dpt:445
    0     0 ufw6-skip-to-policy-input  17   --  *      *       ::/0                 ::/0                 udp dpt:546
    0     0 ufw6-skip-to-policy-input  17   --  *      *       ::/0                 ::/0                 udp dpt:547

Chain ufw6-after-logging-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw6-after-logging-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw6-after-logging-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw6-after-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw6-before-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       0    --  *      *       ::/0                 ::/0                 rt type:0
    3   180 ACCEPT     0    --  *      *       ::/0                 ::/0                 ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     58   --  *      *       ::/0                 ::/0                 ipv6-icmptype 1
    0     0 ACCEPT     58   --  *      *       ::/0                 ::/0                 ipv6-icmptype 2
    0     0 ACCEPT     58   --  *      *       ::/0                 ::/0                 ipv6-icmptype 3
    0     0 ACCEPT     58   --  *      *       ::/0                 ::/0                 ipv6-icmptype 4
    0     0 ACCEPT     58   --  *      *       ::/0                 ::/0                 ipv6-icmptype 128
    0     0 ACCEPT     58   --  *      *       ::/0                 ::/0                 ipv6-icmptype 129
 1093 86364 ufw6-user-forward  0    --  *      *       ::/0                 ::/0                

Chain ufw6-before-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     0    --  lo     *       ::/0                 ::/0                
    0     0 DROP       0    --  *      *       ::/0                 ::/0                 rt type:0
  264 28624 ACCEPT     0    --  *      *       ::/0                 ::/0                 ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     58   --  *      *       ::/0                 ::/0                 ipv6-icmptype 129
    0     0 ufw6-logging-deny  0    --  *      *       ::/0                 ::/0                 ctstate INVALID
    0     0 DROP       0    --  *      *       ::/0                 ::/0                 ctstate INVALID
    0     0 ACCEPT     58   --  *      *       ::/0                 ::/0                 ipv6-icmptype 1
    0     0 ACCEPT     58   --  *      *       ::/0                 ::/0                 ipv6-icmptype 2
    0     0 ACCEPT     58   --  *      *       ::/0                 ::/0                 ipv6-icmptype 3
    0     0 ACCEPT     58   --  *      *       ::/0                 ::/0                 ipv6-icmptype 4
    0     0 ACCEPT     58   --  *      *       ::/0                 ::/0                 ipv6-icmptype 128
  153  8568 ACCEPT     58   --  *      *       ::/0                 ::/0                 ipv6-icmptype 133 HL match HL == 255
   13   832 ACCEPT     58   --  *      *       ::/0                 ::/0                 ipv6-icmptype 134 HL match HL == 255
  122  8784 ACCEPT     58   --  *      *       ::/0                 ::/0                 ipv6-icmptype 135 HL match HL == 255
   86  5512 ACCEPT     58   --  *      *       ::/0                 ::/0                 ipv6-icmptype 136 HL match HL == 255
    0     0 ACCEPT     58   --  *      *       ::/0                 ::/0                 ipv6-icmptype 141 HL match HL == 255
    0     0 ACCEPT     58   --  *      *       ::/0                 ::/0                 ipv6-icmptype 142 HL match HL == 255
    0     0 ACCEPT     58   --  *      *       fe80::/10            ::/0                 ipv6-icmptype 130
    0     0 ACCEPT     58   --  *      *       fe80::/10            ::/0                 ipv6-icmptype 131
    0     0 ACCEPT     58   --  *      *       fe80::/10            ::/0                 ipv6-icmptype 132
    0     0 ACCEPT     58   --  *      *       fe80::/10            ::/0                 ipv6-icmptype 143
    0     0 ACCEPT     58   --  *      *       ::/0                 ::/0                 ipv6-icmptype 148 HL match HL == 255
    0     0 ACCEPT     58   --  *      *       ::/0                 ::/0                 ipv6-icmptype 149 HL match HL == 255
    0     0 ACCEPT     58   --  *      *       fe80::/10            ::/0                 ipv6-icmptype 151 HL match HL == 1
    0     0 ACCEPT     58   --  *      *       fe80::/10            ::/0                 ipv6-icmptype 152 HL match HL == 1
    0     0 ACCEPT     58   --  *      *       fe80::/10            ::/0                 ipv6-icmptype 153 HL match HL == 1
    0     0 ACCEPT     58   --  *      *       ::/0                 ::/0                 ipv6-icmptype 144
    0     0 ACCEPT     58   --  *      *       ::/0                 ::/0                 ipv6-icmptype 145
    0     0 ACCEPT     58   --  *      *       ::/0                 ::/0                 ipv6-icmptype 146
    0     0 ACCEPT     58   --  *      *       ::/0                 ::/0                 ipv6-icmptype 147
    0     0 ACCEPT     17   --  *      *       fe80::/10            fe80::/10            udp spt:547 dpt:546
    0     0 ACCEPT     17   --  *      *       ::/0                 ff02::fb             udp dpt:5353
    0     0 ACCEPT     17   --  *      *       ::/0                 ff02::f              udp dpt:1900
    3   184 ufw6-user-input  0    --  *      *       ::/0                 ::/0                

Chain ufw6-before-logging-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw6-before-logging-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw6-before-logging-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw6-before-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     0    --  *      lo      ::/0                 ::/0                
    0     0 DROP       0    --  *      *       ::/0                 ::/0                 rt type:0
   96  8448 ACCEPT     0    --  *      *       ::/0                 ::/0                 ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     58   --  *      *       ::/0                 ::/0                 ipv6-icmptype 1
    0     0 ACCEPT     58   --  *      *       ::/0                 ::/0                 ipv6-icmptype 2
    0     0 ACCEPT     58   --  *      *       ::/0                 ::/0                 ipv6-icmptype 3
    0     0 ACCEPT     58   --  *      *       ::/0                 ::/0                 ipv6-icmptype 4
    0     0 ACCEPT     58   --  *      *       ::/0                 ::/0                 ipv6-icmptype 128
    0     0 ACCEPT     58   --  *      *       ::/0                 ::/0                 ipv6-icmptype 129
    1    56 ACCEPT     58   --  *      *       ::/0                 ::/0                 ipv6-icmptype 133 HL match HL == 255
   68  4416 ACCEPT     58   --  *      *       ::/0                 ::/0                 ipv6-icmptype 136 HL match HL == 255
  125  9000 ACCEPT     58   --  *      *       ::/0                 ::/0                 ipv6-icmptype 135 HL match HL == 255
    0     0 ACCEPT     58   --  *      *       ::/0                 ::/0                 ipv6-icmptype 134 HL match HL == 255
    0     0 ACCEPT     58   --  *      *       ::/0                 ::/0                 ipv6-icmptype 141 HL match HL == 255
    0     0 ACCEPT     58   --  *      *       ::/0                 ::/0                 ipv6-icmptype 142 HL match HL == 255
    0     0 ACCEPT     58   --  *      *       fe80::/10            ::/0                 ipv6-icmptype 130
    0     0 ACCEPT     58   --  *      *       fe80::/10            ::/0                 ipv6-icmptype 131
    0     0 ACCEPT     58   --  *      *       fe80::/10            ::/0                 ipv6-icmptype 132
   97  9812 ACCEPT     58   --  *      *       fe80::/10            ::/0                 ipv6-icmptype 143
    0     0 ACCEPT     58   --  *      *       ::/0                 ::/0                 ipv6-icmptype 148 HL match HL == 255
    0     0 ACCEPT     58   --  *      *       ::/0                 ::/0                 ipv6-icmptype 149 HL match HL == 255
    0     0 ACCEPT     58   --  *      *       fe80::/10            ::/0                 ipv6-icmptype 151 HL match HL == 1
    0     0 ACCEPT     58   --  *      *       fe80::/10            ::/0                 ipv6-icmptype 152 HL match HL == 1
    0     0 ACCEPT     58   --  *      *       fe80::/10            ::/0                 ipv6-icmptype 153 HL match HL == 1
  255 24280 ufw6-user-output  0    --  *      *       ::/0                 ::/0                

Chain ufw6-logging-allow (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw6-logging-deny (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw6-reject-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw6-reject-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw6-reject-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw6-skip-to-policy-forward (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     0    --  *      *       ::/0                 ::/0                

Chain ufw6-skip-to-policy-input (6 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       0    --  *      *       ::/0                 ::/0                

Chain ufw6-skip-to-policy-output (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     0    --  *      *       ::/0                 ::/0                

Chain ufw6-track-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    3   240 ACCEPT     6    --  *      *       ::/0                 ::/0                 ctstate NEW
   16  1340 ACCEPT     17   --  *      *       ::/0                 ::/0                 ctstate NEW

Chain ufw6-track-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw6-track-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   16  1280 ACCEPT     6    --  *      *       ::/0                 ::/0                 ctstate NEW
  184 17440 ACCEPT     17   --  *      *       ::/0                 ::/0                 ctstate NEW

Chain ufw6-user-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw6-user-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     6    --  *      *       ::/0                 ::/0                 tcp dpt:22
    0     0 ACCEPT     6    --  *      *       ::/0                 ::/0                 tcp dpt:25
    0     0 ACCEPT     6    --  *      *       ::/0                 ::/0                 tcp dpt:80
    0     0 ACCEPT     6    --  *      *       ::/0                 ::/0                 tcp dpt:110
    0     0 ACCEPT     6    --  *      *       ::/0                 ::/0                 tcp dpt:143
    0     0 ACCEPT     6    --  *      *       ::/0                 ::/0                 tcp dpt:443
    0     0 ACCEPT     6    --  *      *       ::/0                 ::/0                 tcp dpt:465
    0     0 ACCEPT     6    --  *      *       ::/0                 ::/0                 tcp dpt:587
    0     0 ACCEPT     6    --  *      *       ::/0                 ::/0                 tcp dpt:993
    0     0 ACCEPT     6    --  *      *       ::/0                 ::/0                 tcp dpt:995
    0     0 ACCEPT     6    --  *      *       ::/0                 ::/0                 tcp dpt:4190
    0     0 ACCEPT     6    --  *      *       ::/0                 ::/0                 tcp dpt:38367
    0     0 ACCEPT     17   --  *      *       ::/0                 ::/0                 udp dpt:61065
    0     0 ACCEPT     0    --  wg0    *       ::/0                 ::/0                

Chain ufw6-user-limit (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     0    --  *      *       ::/0                 ::/0                 reject-with icmp6-port-unreachable

Chain ufw6-user-limit-accept (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     0    --  *      *       ::/0                 ::/0                

Chain ufw6-user-logging-forward (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     0    --  *      *       ::/0                 ::/0                

Chain ufw6-user-logging-input (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     0    --  *      *       ::/0                 ::/0                

Chain ufw6-user-logging-output (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     0    --  *      *       ::/0                 ::/0                

Chain ufw6-user-output (1 references)
 pkts bytes target     prot opt in     out     source               destination

Logs of iptables -L -vn -t nat:

Chain PREROUTING (policy ACCEPT 8937 packets, 603K bytes)
 pkts bytes target     prot opt in     out     source               destination         
  493 28345 DOCKER     0    --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 59 packets, 4034 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 11441 packets, 940K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER     0    --  *      *       0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 14960 packets, 1162K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  0    --  *      !docker0  172.17.0.0/16        0.0.0.0/0           
    0     0 MASQUERADE  0    --  *      !br-be98f442de62  172.18.0.0/16        0.0.0.0/0           
 1719  103K MASQUERADE  0    --  *      !br-6e511a439176  172.21.0.0/16        0.0.0.0/0           
 3595  272K MASQUERADE  0    --  *      !br-mailcow  172.22.1.0/24        0.0.0.0/0           
    0     0 MASQUERADE  6    --  *      *       172.18.0.2           172.18.0.2           tcp dpt:2222
    0     0 MASQUERADE  6    --  *      *       172.22.1.3           172.22.1.3           tcp dpt:3306
    0     0 MASQUERADE  6    --  *      *       172.22.1.253         172.22.1.253         tcp dpt:587
    0     0 MASQUERADE  6    --  *      *       172.22.1.253         172.22.1.253         tcp dpt:465
    0     0 MASQUERADE  6    --  *      *       172.22.1.250         172.22.1.250         tcp dpt:12345
    0     0 MASQUERADE  6    --  *      *       172.22.1.250         172.22.1.250         tcp dpt:4190
    0     0 MASQUERADE  6    --  *      *       172.22.1.249         172.22.1.249         tcp dpt:6379
    0     0 MASQUERADE  6    --  *      *       172.22.1.253         172.22.1.253         tcp dpt:25
    0     0 MASQUERADE  6    --  *      *       172.22.1.11          172.22.1.11          tcp dpt:443
    0     0 MASQUERADE  6    --  *      *       172.22.1.250         172.22.1.250         tcp dpt:995
    0     0 MASQUERADE  6    --  *      *       172.22.1.11          172.22.1.11          tcp dpt:80
    0     0 MASQUERADE  6    --  *      *       172.22.1.250         172.22.1.250         tcp dpt:993
    0     0 MASQUERADE  6    --  *      *       172.22.1.250         172.22.1.250         tcp dpt:143
    0     0 MASQUERADE  6    --  *      *       172.22.1.250         172.22.1.250         tcp dpt:110

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     0    --  docker0 *       0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     0    --  br-be98f442de62 *       0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     0    --  br-6e511a439176 *       0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     0    --  br-mailcow *       0.0.0.0/0            0.0.0.0/0           
   27  1580 DNAT       6    --  !br-be98f442de62 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 to:172.18.0.2:2222
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:13306 to:172.22.1.3:3306
    2   104 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:587 to:172.22.1.253:587
   96  5760 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:465 to:172.22.1.253:465
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:19991 to:172.22.1.250:12345
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:4190 to:172.22.1.250:4190
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:7654 to:172.22.1.249:6379
   29  1740 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:25 to:172.22.1.253:25
   46  2724 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443 to:172.22.1.11:443
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:995 to:172.22.1.250:995
    9   500 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 to:172.22.1.11:80
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:993 to:172.22.1.250:993
   27  1620 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:143 to:172.22.1.250:143
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:110 to:172.22.1.250:110

Logs of ip6tables -L -vn -t nat:

Chain PREROUTING (policy ACCEPT 1669 packets, 151K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    4   264 DOCKER     0    --  *      *       ::/0                 ::/0                 ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 62 packets, 5472 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER     0    --  *      *       ::/0                !::1                  ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 445 packets, 36112 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  0    --  *      docker0  ::/0                 ::/0                 ADDRTYPE match dst-type LOCAL
    0     0 MASQUERADE  0    --  *      !docker0  fd00::/80            ::/0                
    0     0 MASQUERADE  0    --  *      br-mailcow  ::/0                 ::/0                 ADDRTYPE match dst-type LOCAL
 1297  122K MASQUERADE  0    --  *      !br-mailcow  fd4d:6169:6c63:6f77::/64  ::/0                
    0     0 MASQUERADE  6    --  *      *       fd4d:6169:6c63:6f77::5  fd4d:6169:6c63:6f77::5  tcp dpt:587
    0     0 MASQUERADE  6    --  *      *       fd4d:6169:6c63:6f77::5  fd4d:6169:6c63:6f77::5  tcp dpt:25
    0     0 MASQUERADE  6    --  *      *       fd4d:6169:6c63:6f77::5  fd4d:6169:6c63:6f77::5  tcp dpt:465
    0     0 MASQUERADE  6    --  *      *       fd4d:6169:6c63:6f77::b  fd4d:6169:6c63:6f77::b  tcp dpt:110
    0     0 MASQUERADE  6    --  *      *       fd4d:6169:6c63:6f77::b  fd4d:6169:6c63:6f77::b  tcp dpt:143
    0     0 MASQUERADE  6    --  *      *       fd4d:6169:6c63:6f77::b  fd4d:6169:6c63:6f77::b  tcp dpt:4190
    0     0 MASQUERADE  6    --  *      *       fd4d:6169:6c63:6f77::b  fd4d:6169:6c63:6f77::b  tcp dpt:993
    0     0 MASQUERADE  6    --  *      *       fd4d:6169:6c63:6f77::b  fd4d:6169:6c63:6f77::b  tcp dpt:995
    0     0 MASQUERADE  6    --  *      *       fd4d:6169:6c63:6f77::10  fd4d:6169:6c63:6f77::10  tcp dpt:443
    0     0 MASQUERADE  6    --  *      *       fd4d:6169:6c63:6f77::10  fd4d:6169:6c63:6f77::10  tcp dpt:80

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     0    --  docker0 *       ::/0                 ::/0                
    0     0 RETURN     0    --  br-mailcow *       ::/0                 ::/0                
    0     0 DNAT       6    --  !br-mailcow *       ::/0                 ::/0                 tcp dpt:587 to:[fd4d:6169:6c63:6f77::5]:587
    0     0 DNAT       6    --  !br-mailcow *       ::/0                 ::/0                 tcp dpt:25 to:[fd4d:6169:6c63:6f77::5]:25
    0     0 DNAT       6    --  !br-mailcow *       ::/0                 ::/0                 tcp dpt:465 to:[fd4d:6169:6c63:6f77::5]:465
    0     0 DNAT       6    --  !br-mailcow *       ::/0                 ::/0                 tcp dpt:110 to:[fd4d:6169:6c63:6f77::b]:110
    0     0 DNAT       6    --  !br-mailcow *       ::/0                 ::/0                 tcp dpt:143 to:[fd4d:6169:6c63:6f77::b]:143
    0     0 DNAT       6    --  !br-mailcow *       ::/0                 ::/0                 tcp dpt:4190 to:[fd4d:6169:6c63:6f77::b]:4190
    0     0 DNAT       6    --  !br-mailcow *       ::/0                 ::/0                 tcp dpt:993 to:[fd4d:6169:6c63:6f77::b]:993
    0     0 DNAT       6    --  !br-mailcow *       ::/0                 ::/0                 tcp dpt:995 to:[fd4d:6169:6c63:6f77::b]:995
    1    80 DNAT       6    --  !br-mailcow *       ::/0                 ::/0                 tcp dpt:443 to:[fd4d:6169:6c63:6f77::10]:443
    0     0 DNAT       6    --  !br-mailcow *       ::/0                 ::/0                 tcp dpt:80 to:[fd4d:6169:6c63:6f77::10]:80

DNS check:

151.101.1.69
151.101.193.69
151.101.129.69
151.101.65.69

mailcow / mailcow-dockerized

watchdog (unbound): nagios check_dns plugin SEGFAULT #5121

Contribution guidelines

I've found a bug and checked that ...

Description

Logs:

Steps to reproduce:

Which branch are you using?

Operating System:

Server/VM specifications:

Is Apparmor, SELinux or similar active?

Virtualization technology:

Docker version:

docker-compose version or docker compose version:

mailcow version:

Reverse proxy:

Logs of git diff:

Logs of iptables -L -vn:

Logs of ip6tables -L -vn:

Logs of iptables -L -vn -t nat:

Logs of ip6tables -L -vn -t nat:

DNS check: