mirror of
https://github.com/netbirdio/netbird.git
synced 2025-06-21 02:08:40 +02:00
Refactor firewall manager check (#2054)
Some systems don't play nice with a test chain So we dropped the idea, and instead we check for the filter table With this check, we might face a case where iptables is selected once and on the next netbird up/down it will go back to using nftables
This commit is contained in:
parent
e877c9d6c1
commit
6a2929011d
@ -86,7 +86,7 @@ func NewFirewall(context context.Context, iface IFaceMapper) (firewall.Manager,
|
|||||||
// check returns the firewall type based on common lib checks. It returns UNKNOWN if no firewall is found.
|
// check returns the firewall type based on common lib checks. It returns UNKNOWN if no firewall is found.
|
||||||
func check() FWType {
|
func check() FWType {
|
||||||
useIPTABLES := false
|
useIPTABLES := false
|
||||||
testingChain := "netbird-testing"
|
var iptablesChains []string
|
||||||
ip, err := iptables.NewWithProtocol(iptables.ProtocolIPv4)
|
ip, err := iptables.NewWithProtocol(iptables.ProtocolIPv4)
|
||||||
if err == nil && isIptablesClientAvailable(ip) {
|
if err == nil && isIptablesClientAvailable(ip) {
|
||||||
major, minor, _ := ip.GetIptablesVersion()
|
major, minor, _ := ip.GetIptablesVersion()
|
||||||
@ -97,40 +97,43 @@ func check() FWType {
|
|||||||
|
|
||||||
useIPTABLES = true
|
useIPTABLES = true
|
||||||
|
|
||||||
// create a testing chain to check if iptables is working and to validate if nftables can be used
|
iptablesChains, err = ip.ListChains("filter")
|
||||||
err = ip.NewChain("filter", testingChain)
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
log.Errorf("failed to list iptables chains: %s", err)
|
||||||
useIPTABLES = false
|
useIPTABLES = false
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
defer func() {
|
|
||||||
if !useIPTABLES {
|
|
||||||
return
|
|
||||||
}
|
|
||||||
err = ip.ClearChain("filter", testingChain)
|
|
||||||
if err != nil {
|
|
||||||
log.Errorf("failed to clear netbird-testing chain: %v", err)
|
|
||||||
}
|
|
||||||
err = ip.DeleteChain("filter", testingChain)
|
|
||||||
if err != nil {
|
|
||||||
log.Errorf("failed to delete netbird-testing chain: %v", err)
|
|
||||||
}
|
|
||||||
}()
|
|
||||||
|
|
||||||
nf := nftables.Conn{}
|
nf := nftables.Conn{}
|
||||||
if chains, err := nf.ListChains(); err == nil && os.Getenv(SKIP_NFTABLES_ENV) != "true" {
|
if chains, err := nf.ListChains(); err == nil && os.Getenv(SKIP_NFTABLES_ENV) != "true" {
|
||||||
if !useIPTABLES {
|
if !useIPTABLES {
|
||||||
return NFTABLES
|
return NFTABLES
|
||||||
}
|
}
|
||||||
// search for the testing chain created by iptables client
|
|
||||||
// failing to find it means that nftables can be used but the system is using a version of iptables
|
// search for chains where table is filter
|
||||||
// that doesn't work well with our nftables manager
|
// if we find one, we assume that nftables manager can be used with iptables
|
||||||
for _, chain := range chains {
|
for _, chain := range chains {
|
||||||
if chain.Name == testingChain {
|
if chain.Table.Name == "filter" {
|
||||||
return NFTABLES
|
return NFTABLES
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// check tables for the following constraints:
|
||||||
|
// 1. there is no chain in nftables for the filter table and there is at least one chain in iptables, we assume that nftables manager can not be used
|
||||||
|
// 2. there is no tables or more than one table, we assume that nftables manager can be used
|
||||||
|
// 3. there is only one table and its name is filter, we assume that nftables manager can not be used, since there was no chain in it
|
||||||
|
// 4. if we find an error we log and continue with iptables check
|
||||||
|
nbTablesList, err := nf.ListTables()
|
||||||
|
switch {
|
||||||
|
case err == nil && len(iptablesChains) > 0:
|
||||||
|
return IPTABLES
|
||||||
|
case err == nil && len(nbTablesList) != 1:
|
||||||
|
return NFTABLES
|
||||||
|
case err == nil && len(nbTablesList) == 1 && nbTablesList[0].Name == "filter":
|
||||||
|
return IPTABLES
|
||||||
|
case err != nil:
|
||||||
|
log.Errorf("failed to list nftables tables on fw manager discovery: %s", err)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if useIPTABLES {
|
if useIPTABLES {
|
||||||
|
Loading…
x
Reference in New Issue
Block a user