netbird/iface/nat_linux.go

package iface

import (
	"github.com/google/nftables"
	"github.com/google/nftables/expr"
	log "github.com/sirupsen/logrus"
	"github.com/vishvananda/netns"
	"io/ioutil"
)

// Configure routing and IP masquerading
//todo more docs on what exactly happens here and why it is needed
func ConfigureNAT(primaryIface string) error {
	log.Debugf("adding NAT / IP masquerading using nftables")
	ns, err := netns.Get()
	if err != nil {
		return err
	}

	conn := nftables.Conn{NetNS: int(ns)}

	log.Debugf("flushing nftable rulesets")
	conn.FlushRuleset()

	log.Debugf("setting up nftable rules for ip masquerading")

	nat := conn.AddTable(&nftables.Table{
		Family: nftables.TableFamilyIPv4,
		Name:   "nat",
	})

	conn.AddChain(&nftables.Chain{
		Name:     "prerouting",
		Table:    nat,
		Type:     nftables.ChainTypeNAT,
		Hooknum:  nftables.ChainHookPrerouting,
		Priority: nftables.ChainPriorityFilter,
	})

	post := conn.AddChain(&nftables.Chain{
		Name:     "postrouting",
		Table:    nat,
		Type:     nftables.ChainTypeNAT,
		Hooknum:  nftables.ChainHookPostrouting,
		Priority: nftables.ChainPriorityNATSource,
	})

	conn.AddRule(&nftables.Rule{
		Table: nat,
		Chain: post,
		Exprs: []expr.Any{
			&expr.Meta{Key: expr.MetaKeyOIFNAME, Register: 1},
			&expr.Cmp{
				Op:       expr.CmpOpEq,
				Register: 1,
				Data:     ifname(primaryIface),
			},
			&expr.Masq{},
		},
	})

	if err := conn.Flush(); err != nil {
		return err
	}

	return nil
}

// Enables IP forwarding system property.
// Mostly used when you setup one peer as a VPN server.
func EnableIPForward() error {
	f := "/proc/sys/net/ipv4/ip_forward"

	content, err := ioutil.ReadFile(f)
	if err != nil {
		return err
	}

	if string(content) == "0\n" {
		log.Info("enabling IP Forward")
		return ioutil.WriteFile(f, []byte("1"), 0600)
	}

	return nil
}
feat: first project flow 2021-04-14 14:20:25 +02:00			`package iface`

			`import (`
			`"github.com/google/nftables"`
			`"github.com/google/nftables/expr"`
			`log "github.com/sirupsen/logrus"`
			`"github.com/vishvananda/netns"`
			`"io/ioutil"`
			`)`

			`// Configure routing and IP masquerading`
			`//todo more docs on what exactly happens here and why it is needed`
			`func ConfigureNAT(primaryIface string) error {`
			`log.Debugf("adding NAT / IP masquerading using nftables")`
			`ns, err := netns.Get()`
			`if err != nil {`
			`return err`
			`}`

			`conn := nftables.Conn{NetNS: int(ns)}`

			`log.Debugf("flushing nftable rulesets")`
			`conn.FlushRuleset()`

			`log.Debugf("setting up nftable rules for ip masquerading")`

			`nat := conn.AddTable(&nftables.Table{`
			`Family: nftables.TableFamilyIPv4,`
			`Name: "nat",`
			`})`

			`conn.AddChain(&nftables.Chain{`
			`Name: "prerouting",`
			`Table: nat,`
			`Type: nftables.ChainTypeNAT,`
			`Hooknum: nftables.ChainHookPrerouting,`
			`Priority: nftables.ChainPriorityFilter,`
			`})`

			`post := conn.AddChain(&nftables.Chain{`
			`Name: "postrouting",`
			`Table: nat,`
			`Type: nftables.ChainTypeNAT,`
			`Hooknum: nftables.ChainHookPostrouting,`
			`Priority: nftables.ChainPriorityNATSource,`
			`})`

			`conn.AddRule(&nftables.Rule{`
			`Table: nat,`
			`Chain: post,`
			`Exprs: []expr.Any{`
			`&expr.Meta{Key: expr.MetaKeyOIFNAME, Register: 1},`
			`&expr.Cmp{`
			`Op: expr.CmpOpEq,`
			`Register: 1,`
			`Data: ifname(primaryIface),`
			`},`
			`&expr.Masq{},`
			`},`
			`})`

			`if err := conn.Flush(); err != nil {`
			`return err`
			`}`

			`return nil`
			`}`

			`// Enables IP forwarding system property.`
			`// Mostly used when you setup one peer as a VPN server.`
			`func EnableIPForward() error {`
			`f := "/proc/sys/net/ipv4/ip_forward"`

			`content, err := ioutil.ReadFile(f)`
			`if err != nil {`
			`return err`
			`}`

			`if string(content) == "0\n" {`
			`log.Info("enabling IP Forward")`
			`return ioutil.WriteFile(f, []byte("1"), 0600)`
			`}`

			`return nil`
			`}`