FIx error on ip6tables not available (#999)

* adding check operation to confirm if ip*tables is available * linter * linter
2025-06-20 01:38:41 +02:00 · 2023-07-14 20:44:35 +02:00 · 2023-07-14 20:44:35 +02:00 · c6af1037d9
commit c6af1037d9
parent 5cb9a126f1
3 changed files with 132 additions and 94 deletions
--- a/client/firewall/iptables/manager_linux.go
+++ b/client/firewall/iptables/manager_linux.go
@ -58,13 +58,17 @@ func Create(wgIface iFaceMapper) (*Manager, error) {
 	if err != nil {
 		return nil, fmt.Errorf("iptables is not installed in the system or not supported")
 	}
-	m.ipv4Client = ipv4Client
+	if isIptablesClientAvailable(ipv4Client) {
 		m.ipv4Client = ipv4Client
 	}
 	ipv6Client, err := iptables.NewWithProtocol(iptables.ProtocolIPv6)
 	if err != nil {
 		log.Errorf("ip6tables is not installed in the system or not supported: %v", err)
 	} else {
-		m.ipv6Client = ipv6Client
+		if isIptablesClientAvailable(ipv6Client) {
 			m.ipv6Client = ipv6Client
 		}
 	}
 	if err := m.Reset(); err != nil {
@ -73,6 +77,11 @@ func Create(wgIface iFaceMapper) (*Manager, error) {
 	return m, nil
 }
 func isIptablesClientAvailable(client *iptables.IPTables) bool {
 	_, err := client.ListChains("filter")
 	return err == nil
 }
 // AddFiltering rule to the firewall
 //
 // If comment is empty rule ID is used as comment
--- a/client/internal/routemanager/firewall_linux.go
+++ b/client/internal/routemanager/firewall_linux.go
@ -35,7 +35,15 @@ func NewFirewall(parentCTX context.Context) firewallManager {
 	if isIptablesSupported() {
 		log.Debugf("iptables is supported")
 		ipv4Client, _ := iptables.NewWithProtocol(iptables.ProtocolIPv4)
 		if !isIptablesClientAvailable(ipv4Client) {
 			log.Infof("iptables is missing for ipv4")
 			ipv4Client = nil
 		}
 		ipv6Client, _ := iptables.NewWithProtocol(iptables.ProtocolIPv6)
 		if !isIptablesClientAvailable(ipv6Client) {
 			log.Infof("iptables is missing for ipv6")
 			ipv6Client = nil
 		}
 		return &iptablesManager{
 			ctx:        ctx,
@ -59,6 +67,11 @@ func NewFirewall(parentCTX context.Context) firewallManager {
 	return manager
 }
 func isIptablesClientAvailable(client *iptables.IPTables) bool {
 	_, err := client.ListChains("filter")
 	return err == nil
 }
 func getInPair(pair routerPair) routerPair {
 	return routerPair{
 		ID: pair.ID,
--- a/client/internal/routemanager/iptables_linux.go
+++ b/client/internal/routemanager/iptables_linux.go
@ -61,24 +61,28 @@ func (i *iptablesManager) CleanRoutingRules() {
 	log.Debug("flushing tables")
 	errMSGFormat := "iptables: failed cleaning %s chain %s,error: %v"
-	err = i.ipv4Client.ClearAndDeleteChain(iptablesFilterTable, iptablesRoutingForwardingChain)
+	if i.ipv4Client != nil {
-	if err != nil {
+		err = i.ipv4Client.ClearAndDeleteChain(iptablesFilterTable, iptablesRoutingForwardingChain)
-		log.Errorf(errMSGFormat, ipv4, iptablesRoutingForwardingChain, err)
+		if err != nil {
 			log.Errorf(errMSGFormat, ipv4, iptablesRoutingForwardingChain, err)
 		}
 		err = i.ipv4Client.ClearAndDeleteChain(iptablesNatTable, iptablesRoutingNatChain)
 		if err != nil {
 			log.Errorf(errMSGFormat, ipv4, iptablesRoutingNatChain, err)
 		}
 	}
-	err = i.ipv4Client.ClearAndDeleteChain(iptablesNatTable, iptablesRoutingNatChain)
+	if i.ipv6Client != nil {
-	if err != nil {
+		err = i.ipv6Client.ClearAndDeleteChain(iptablesFilterTable, iptablesRoutingForwardingChain)
-		log.Errorf(errMSGFormat, ipv4, iptablesRoutingNatChain, err)
+		if err != nil {
-	}
+			log.Errorf(errMSGFormat, ipv6, iptablesRoutingForwardingChain, err)
 		}
-	err = i.ipv6Client.ClearAndDeleteChain(iptablesFilterTable, iptablesRoutingForwardingChain)
+		err = i.ipv6Client.ClearAndDeleteChain(iptablesNatTable, iptablesRoutingNatChain)
-	if err != nil {
+		if err != nil {
-		log.Errorf(errMSGFormat, ipv6, iptablesRoutingForwardingChain, err)
+			log.Errorf(errMSGFormat, ipv6, iptablesRoutingNatChain, err)
-	}
+		}
 	err = i.ipv6Client.ClearAndDeleteChain(iptablesNatTable, iptablesRoutingNatChain)
 	if err != nil {
 		log.Errorf(errMSGFormat, ipv6, iptablesRoutingNatChain, err)
 	}
 	log.Info("done cleaning up iptables rules")
@ -96,37 +100,41 @@ func (i *iptablesManager) RestoreOrCreateContainers() error {
 	errMSGFormat := "iptables: failed creating %s chain %s,error: %v"
-	err := createChain(i.ipv4Client, iptablesFilterTable, iptablesRoutingForwardingChain)
+	if i.ipv4Client != nil {
-	if err != nil {
+		err := createChain(i.ipv4Client, iptablesFilterTable, iptablesRoutingForwardingChain)
-		return fmt.Errorf(errMSGFormat, ipv4, iptablesRoutingForwardingChain, err)
+		if err != nil {
 			return fmt.Errorf(errMSGFormat, ipv4, iptablesRoutingForwardingChain, err)
 		}
 		err = createChain(i.ipv4Client, iptablesNatTable, iptablesRoutingNatChain)
 		if err != nil {
 			return fmt.Errorf(errMSGFormat, ipv4, iptablesRoutingNatChain, err)
 		}
 		err = i.restoreRules(i.ipv4Client)
 		if err != nil {
 			return fmt.Errorf("iptables: error while restoring ipv4 rules: %v", err)
 		}
 	}
-	err = createChain(i.ipv4Client, iptablesNatTable, iptablesRoutingNatChain)
+	if i.ipv6Client != nil {
-	if err != nil {
+		err := createChain(i.ipv6Client, iptablesFilterTable, iptablesRoutingForwardingChain)
-		return fmt.Errorf(errMSGFormat, ipv4, iptablesRoutingNatChain, err)
+		if err != nil {
 			return fmt.Errorf(errMSGFormat, ipv6, iptablesRoutingForwardingChain, err)
 		}
 		err = createChain(i.ipv6Client, iptablesNatTable, iptablesRoutingNatChain)
 		if err != nil {
 			return fmt.Errorf(errMSGFormat, ipv6, iptablesRoutingNatChain, err)
 		}
 		err = i.restoreRules(i.ipv6Client)
 		if err != nil {
 			return fmt.Errorf("iptables: error while restoring ipv6 rules: %v", err)
 		}
 	}
-	err = createChain(i.ipv6Client, iptablesFilterTable, iptablesRoutingForwardingChain)
+	err := i.addJumpRules()
 	if err != nil {
 		return fmt.Errorf(errMSGFormat, ipv6, iptablesRoutingForwardingChain, err)
 	}
 	err = createChain(i.ipv6Client, iptablesNatTable, iptablesRoutingNatChain)
 	if err != nil {
 		return fmt.Errorf(errMSGFormat, ipv6, iptablesRoutingNatChain, err)
 	}
 	err = i.restoreRules(i.ipv4Client)
 	if err != nil {
 		return fmt.Errorf("iptables: error while restoring ipv4 rules: %v", err)
 	}
 	err = i.restoreRules(i.ipv6Client)
 	if err != nil {
 		return fmt.Errorf("iptables: error while restoring ipv6 rules: %v", err)
 	}
 	err = i.addJumpRules()
 	if err != nil {
 		return fmt.Errorf("iptables: error while creating jump rules: %v", err)
 	}
@ -140,34 +148,38 @@ func (i *iptablesManager) addJumpRules() error {
 	if err != nil {
 		return err
 	}
-	rule := append(iptablesDefaultForwardingRule, ipv4Forwarding)
+	if i.ipv4Client != nil {
-	err = i.ipv4Client.Insert(iptablesFilterTable, iptablesForwardChain, 1, rule...)
+		rule := append(iptablesDefaultForwardingRule, ipv4Forwarding)
-	if err != nil {
+
-		return err
+		err = i.ipv4Client.Insert(iptablesFilterTable, iptablesForwardChain, 1, rule...)
 		if err != nil {
 			return err
 		}
 		i.rules[ipv4][ipv4Forwarding] = rule
 		rule = append(iptablesDefaultNatRule, ipv4Nat)
 		err = i.ipv4Client.Insert(iptablesNatTable, iptablesPostRoutingChain, 1, rule...)
 		if err != nil {
 			return err
 		}
 		i.rules[ipv4][ipv4Nat] = rule
 	}
-	i.rules[ipv4][ipv4Forwarding] = rule
+	if i.ipv6Client != nil {
 		rule := append(iptablesDefaultForwardingRule, ipv6Forwarding)
 		err = i.ipv6Client.Insert(iptablesFilterTable, iptablesForwardChain, 1, rule...)
 		if err != nil {
 			return err
 		}
 		i.rules[ipv6][ipv6Forwarding] = rule
-	rule = append(iptablesDefaultNatRule, ipv4Nat)
+		rule = append(iptablesDefaultNatRule, ipv6Nat)
-	err = i.ipv4Client.Insert(iptablesNatTable, iptablesPostRoutingChain, 1, rule...)
+		err = i.ipv6Client.Insert(iptablesNatTable, iptablesPostRoutingChain, 1, rule...)
-	if err != nil {
+		if err != nil {
-		return err
+			return err
 		}
 		i.rules[ipv6][ipv6Nat] = rule
 	}
 	i.rules[ipv4][ipv4Nat] = rule
 	rule = append(iptablesDefaultForwardingRule, ipv6Forwarding)
 	err = i.ipv6Client.Insert(iptablesFilterTable, iptablesForwardChain, 1, rule...)
 	if err != nil {
 		return err
 	}
 	i.rules[ipv6][ipv6Forwarding] = rule
 	rule = append(iptablesDefaultNatRule, ipv6Nat)
 	err = i.ipv6Client.Insert(iptablesNatTable, iptablesPostRoutingChain, 1, rule...)
 	if err != nil {
 		return err
 	}
 	i.rules[ipv6][ipv6Nat] = rule
 	return nil
 }
@ -177,35 +189,39 @@ func (i *iptablesManager) cleanJumpRules() error {
 	var err error
 	errMSGFormat := "iptables: failed cleaning rule from %s chain %s,err: %v"
 	rule, found := i.rules[ipv4][ipv4Forwarding]
-	if found {
+	if i.ipv4Client != nil {
-		log.Debugf("iptables: removing %s rule: %s ", ipv4, ipv4Forwarding)
+		if found {
-		err = i.ipv4Client.DeleteIfExists(iptablesFilterTable, iptablesForwardChain, rule...)
+			log.Debugf("iptables: removing %s rule: %s ", ipv4, ipv4Forwarding)
-		if err != nil {
+			err = i.ipv4Client.DeleteIfExists(iptablesFilterTable, iptablesForwardChain, rule...)
-			return fmt.Errorf(errMSGFormat, ipv4, iptablesForwardChain, err)
+			if err != nil {
 				return fmt.Errorf(errMSGFormat, ipv4, iptablesForwardChain, err)
 			}
 		}
 		rule, found = i.rules[ipv4][ipv4Nat]
 		if found {
 			log.Debugf("iptables: removing %s rule: %s ", ipv4, ipv4Nat)
 			err = i.ipv4Client.DeleteIfExists(iptablesNatTable, iptablesPostRoutingChain, rule...)
 			if err != nil {
 				return fmt.Errorf(errMSGFormat, ipv4, iptablesPostRoutingChain, err)
 			}
 		}
 	}
-	rule, found = i.rules[ipv4][ipv4Nat]
+	if i.ipv6Client == nil {
-	if found {
+		rule, found = i.rules[ipv6][ipv6Forwarding]
-		log.Debugf("iptables: removing %s rule: %s ", ipv4, ipv4Nat)
+		if found {
-		err = i.ipv4Client.DeleteIfExists(iptablesNatTable, iptablesPostRoutingChain, rule...)
+			log.Debugf("iptables: removing %s rule: %s ", ipv6, ipv6Forwarding)
-		if err != nil {
+			err = i.ipv6Client.DeleteIfExists(iptablesFilterTable, iptablesForwardChain, rule...)
-			return fmt.Errorf(errMSGFormat, ipv4, iptablesPostRoutingChain, err)
+			if err != nil {
 				return fmt.Errorf(errMSGFormat, ipv6, iptablesForwardChain, err)
 			}
 		}
-	}
+		rule, found = i.rules[ipv6][ipv6Nat]
-	rule, found = i.rules[ipv6][ipv6Forwarding]
+		if found {
-	if found {
+			log.Debugf("iptables: removing %s rule: %s ", ipv6, ipv6Nat)
-		log.Debugf("iptables: removing %s rule: %s ", ipv6, ipv6Forwarding)
+			err = i.ipv6Client.DeleteIfExists(iptablesNatTable, iptablesPostRoutingChain, rule...)
-		err = i.ipv6Client.DeleteIfExists(iptablesFilterTable, iptablesForwardChain, rule...)
+			if err != nil {
-		if err != nil {
+				return fmt.Errorf(errMSGFormat, ipv6, iptablesPostRoutingChain, err)
-			return fmt.Errorf(errMSGFormat, ipv6, iptablesForwardChain, err)
+			}
 		}
 	}
 	rule, found = i.rules[ipv6][ipv6Nat]
 	if found {
 		log.Debugf("iptables: removing %s rule: %s ", ipv6, ipv6Nat)
 		err = i.ipv6Client.DeleteIfExists(iptablesNatTable, iptablesPostRoutingChain, rule...)
 		if err != nil {
 			return fmt.Errorf(errMSGFormat, ipv6, iptablesPostRoutingChain, err)
 		}
 	}
 	return nil