Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[client] Make native firewall init fail firewall creation #2784

Merged
merged 2 commits into from
Oct 28, 2024
Merged

[client] Make native firewall init fail firewall creation #2784

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
c3aa963
Make native firewall init fail firewall creation
lixmal Oct 25, 2024
674589c
Amend warning
lixmal Oct 25, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
62 changes: 28 additions & 34 deletions client/firewall/create_linux.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
package firewall

import (
"errors"
"fmt"
"os"

Expand Down Expand Up @@ -37,62 +38,55 @@ func NewFirewall(iface IFaceMapper, stateManager *statemanager.Manager) (firewal
// in any case, because we need to allow netbird interface traffic
// so we use AllowNetbird traffic from these firewall managers
// for the userspace packet filtering firewall
fm, errFw := createNativeFirewall(iface)
fm, err := createNativeFirewall(iface, stateManager)

if fm != nil {
if err := fm.Init(stateManager); err != nil {
log.Errorf("failed to init nftables manager: %s", err)
}
if !iface.IsUserspaceBind() {
return fm, err
}

if err != nil {
log.Warnf("failed to create native firewall: %v. Proceeding with userspace", err)
}
return createUserspaceFirewall(iface, fm)
}

if iface.IsUserspaceBind() {
return createUserspaceFirewall(iface, fm, errFw)
func createNativeFirewall(iface IFaceMapper, stateManager *statemanager.Manager) (firewall.Manager, error) {
fm, err := createFW(iface)
if err != nil {
return nil, fmt.Errorf("create firewall: %s", err)
}

return fm, errFw
if err = fm.Init(stateManager); err != nil {
return nil, fmt.Errorf("init firewall: %s", err)
}

return fm, nil
}

func createNativeFirewall(iface IFaceMapper) (firewall.Manager, error) {
func createFW(iface IFaceMapper) (firewall.Manager, error) {
switch check() {
case IPTABLES:
return createIptablesFirewall(iface)
log.Info("creating an iptables firewall manager")
return nbiptables.Create(iface)
case NFTABLES:
return createNftablesFirewall(iface)
log.Info("creating an nftables firewall manager")
return nbnftables.Create(iface)
default:
log.Info("no firewall manager found, trying to use userspace packet filtering firewall")
return nil, fmt.Errorf("no firewall manager found")
return nil, errors.New("no firewall manager found")
}
}

func createIptablesFirewall(iface IFaceMapper) (firewall.Manager, error) {
log.Info("creating an iptables firewall manager")
fm, err := nbiptables.Create(iface)
if err != nil {
log.Errorf("failed to create iptables manager: %s", err)
}
return fm, err
}

func createNftablesFirewall(iface IFaceMapper) (firewall.Manager, error) {
log.Info("creating an nftables firewall manager")
fm, err := nbnftables.Create(iface)
if err != nil {
log.Errorf("failed to create nftables manager: %s", err)
}
return fm, err
}

func createUserspaceFirewall(iface IFaceMapper, fm firewall.Manager, errFw error) (firewall.Manager, error) {
func createUserspaceFirewall(iface IFaceMapper, fm firewall.Manager) (firewall.Manager, error) {
var errUsp error
if errFw == nil {
if fm != nil {
fm, errUsp = uspfilter.CreateWithNativeFirewall(iface, fm)
} else {
fm, errUsp = uspfilter.Create(iface)
}

if errUsp != nil {
log.Debugf("failed to create userspace filtering firewall: %s", errUsp)
return nil, errUsp
return nil, fmt.Errorf("create userspace firewall: %s", errUsp)
}

if err := fm.AllowNetbird(); err != nil {
Expand Down
Loading