extern/netbird
1
0
Fork 0
mirror of https://github.com/netbirdio/netbird.git synced 2024-11-23 08:33:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

[client] Make native firewall init fail firewall creation (#2784)

Browse Source
This commit is contained in:
Viktor Liu 2024-10-28 10:02:27 +01:00 committed by GitHub
parent 8016710d24
commit 0fd874fa45
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 29 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

64
client/firewall/create_linux.go
View File

@ -3,6 +3,7 @@
package firewall package firewall
import ( import (
"errors"
"fmt" "fmt"
"os" "os"
@ -37,62 +38,55 @@ func NewFirewall(iface IFaceMapper, stateManager *statemanager.Manager) (firewal
// in any case, because we need to allow netbird interface traffic // in any case, because we need to allow netbird interface traffic
// so we use AllowNetbird traffic from these firewall managers // so we use AllowNetbird traffic from these firewall managers
// for the userspace packet filtering firewall // for the userspace packet filtering firewall
fm, errFw := createNativeFirewall(iface) fm, err := createNativeFirewall(iface, stateManager)
if fm != nil { if !iface.IsUserspaceBind() {
if err := fm.Init(stateManager); err != nil { return fm, err
log.Errorf("failed to init nftables manager: %s", err)
}
} }
if iface.IsUserspaceBind() { if err != nil {
return createUserspaceFirewall(iface, fm, errFw) log.Warnf("failed to create native firewall: %v. Proceeding with userspace", err)
} }
return createUserspaceFirewall(iface, fm)
return fm, errFw
} }
func createNativeFirewall(iface IFaceMapper) (firewall.Manager, error) { func createNativeFirewall(iface IFaceMapper, stateManager *statemanager.Manager) (firewall.Manager, error) {
fm, err := createFW(iface)
if err != nil {
return nil, fmt.Errorf("create firewall: %s", err)
}
if err = fm.Init(stateManager); err != nil {
return nil, fmt.Errorf("init firewall: %s", err)
}
return fm, nil
}
func createFW(iface IFaceMapper) (firewall.Manager, error) {
switch check() { switch check() {
case IPTABLES: case IPTABLES:
return createIptablesFirewall(iface) log.Info("creating an iptables firewall manager")
return nbiptables.Create(iface)
case NFTABLES: case NFTABLES:
return createNftablesFirewall(iface) log.Info("creating an nftables firewall manager")
return nbnftables.Create(iface)
default: default:
log.Info("no firewall manager found, trying to use userspace packet filtering firewall") log.Info("no firewall manager found, trying to use userspace packet filtering firewall")
return nil, fmt.Errorf("no firewall manager found") return nil, errors.New("no firewall manager found")
} }
} }
func createIptablesFirewall(iface IFaceMapper) (firewall.Manager, error) { func createUserspaceFirewall(iface IFaceMapper, fm firewall.Manager) (firewall.Manager, error) {
log.Info("creating an iptables firewall manager")
fm, err := nbiptables.Create(iface)
if err != nil {
log.Errorf("failed to create iptables manager: %s", err)
}
return fm, err
}
func createNftablesFirewall(iface IFaceMapper) (firewall.Manager, error) {
log.Info("creating an nftables firewall manager")
fm, err := nbnftables.Create(iface)
if err != nil {
log.Errorf("failed to create nftables manager: %s", err)
}
return fm, err
}
func createUserspaceFirewall(iface IFaceMapper, fm firewall.Manager, errFw error) (firewall.Manager, error) {
var errUsp error var errUsp error
if errFw == nil { if fm != nil {
fm, errUsp = uspfilter.CreateWithNativeFirewall(iface, fm) fm, errUsp = uspfilter.CreateWithNativeFirewall(iface, fm)
} else { } else {
fm, errUsp = uspfilter.Create(iface) fm, errUsp = uspfilter.Create(iface)
} }
if errUsp != nil { if errUsp != nil {
log.Debugf("failed to create userspace filtering firewall: %s", errUsp) return nil, fmt.Errorf("create userspace firewall: %s", errUsp)
return nil, errUsp
} }
if err := fm.AllowNetbird(); err != nil { if err := fm.AllowNetbird(); err != nil {