util/linuxfw: fix IPv6 availability check for nftables #12009
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
irbekrm
force-pushed
the
irbekrm/ipv6nat
branch
2 times, most recently
from
9dc13af
to
1155420
Compare
When running firewall in nftables mode, there is no need for a separate NAT availability check (unlike with iptables, there are no hosts that support nftables, but not IPv6 NAT - see #11353). This change fixes a firewall NAT availability check that was using the no-longer set ipv6NATAvailable field by removing the field and using a method that, for nftables, just checks that IPv6 is available. Updates #12008 Signed-off-by: Irbe Krumina <irbe@tailscale.com>
irbekrm
changed the title
irbekrm
commented
May 5, 2024
| func (n *nftablesRunner) getTables() []*nftable { | ||
| if n.v6Available { | ||
| if n.HasIPV6() { |
There was a problem hiding this comment.
For consistency, does not change anything functionally
Test that the expected number of nftables tables/chains are created depending on whether the host supports IPv6 or not. Signed-off-by: Irbe Krumina <irbe@tailscale.com>
bradfitz
reviewed
May 14, 2024
util/linuxfw/linuxfw.go
Outdated
| @@ -109,7 +109,8 @@ func getTailscaleSubnetRouteMark() []byte { | |||
| // missing. It does not check that IPv6 is currently functional or | |||
| // that there's a global address, just that the system would support | |||
| // IPv6 if it were on an IPv6 network. | |||
| func CheckIPv6(logf logger.Logf) error { | |||
| // CheckIPv6 can be overridden in tests. | |||
| var CheckIPv6 = func(logf logger.Logf) error { | |||
There was a problem hiding this comment.
I'd prefer this signature remain unchanged and instead add a new unexported package-level func that, if non-nil, is used inside the body, like:
var checkIPv6ForTest func(logger.Logf) error // non-nil in some tests
func CheckIPv6(logf logger.Logf) error {
if f := checkIPv6ForTest; f != nil {
return f(logf)
}
....Then use tstest.Replace to set it.
There was a problem hiding this comment.
Oh that's really nice
maisem
approved these changes
May 14, 2024
Signed-off-by: Irbe Krumina <irbe@tailscale.com>
irbekrm
added a commit
that referenced
this pull request
May 14, 2024
* util/linuxfw: fix IPv6 NAT availability check for nftables When running firewall in nftables mode, there is no need for a separate NAT availability check (unlike with iptables, there are no hosts that support nftables, but not IPv6 NAT - see #11353). This change fixes a firewall NAT availability check that was using the no-longer set ipv6NATAvailable field by removing the field and using a method that, for nftables, just checks that IPv6 is available. Updates #12008 Signed-off-by: Irbe Krumina <irbe@tailscale.com> (cherry picked from commit 7ef2f72)
irbekrm
added a commit
that referenced
this pull request
May 14, 2024
* util/linuxfw: fix IPv6 NAT availability check for nftables When running firewall in nftables mode, there is no need for a separate NAT availability check (unlike with iptables, there are no hosts that support nftables, but not IPv6 NAT - see #11353). This change fixes a firewall NAT availability check that was using the no-longer set ipv6NATAvailable field by removing the field and using a method that, for nftables, just checks that IPv6 is available. Updates #12008 Signed-off-by: Irbe Krumina <irbe@tailscale.com> (cherry picked from commit 7ef2f72)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See #11353 for context- this change fixes a firewall NAT availability check that was using the no-longer set ipv6NATAvailable field by removing the field and using a method that, for nftables, just checks that IPv6 is available.
When running firewall in nftables mode,
there is no need for a separate NAT availability check (unlike with iptables, there are no hosts that support nftables, but not IPv6 NAT - see #11353).
I have tested that with this change the IPv6 NAT table gets created as expected:
/ # nft list ruleset table ip filter { chain FORWARD { type filter hook forward priority filter; policy accept; counter packets 0 bytes 0 jump ts-forward }}
table ip nat {
chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
counter packets 46 bytes 6233 jump ts-postrouting
}
}
table ip6 filter {
chain FORWARD {
type filter hook forward priority filter; policy accept;
counter packets 28 bytes 23435 jump ts-forward
}
}
table ip6 nat {
chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
counter packets 28 bytes 2540 jump ts-postrouting
}
}
Also updated tests to test the amount of chains/tables created depending on whether the IPv6 check errors out or not- that would have caught this bug.
Updates #12008