New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
util/linuxfw: fix IPv6 availability check for nftables #12009
Conversation
9dc13af
to
1155420
Compare
When running firewall in nftables mode, there is no need for a separate NAT availability check (unlike with iptables, there are no hosts that support nftables, but not IPv6 NAT - see #11353). This change fixes a firewall NAT availability check that was using the no-longer set ipv6NATAvailable field by removing the field and using a method that, for nftables, just checks that IPv6 is available. Updates #12008 Signed-off-by: Irbe Krumina <irbe@tailscale.com>
func (n *nftablesRunner) getTables() []*nftable { | ||
if n.v6Available { | ||
if n.HasIPV6() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For consistency, does not change anything functionally
Test that the expected number of nftables tables/chains are created depending on whether the host supports IPv6 or not. Signed-off-by: Irbe Krumina <irbe@tailscale.com>
util/linuxfw/linuxfw.go
Outdated
@@ -109,7 +109,8 @@ func getTailscaleSubnetRouteMark() []byte { | |||
// missing. It does not check that IPv6 is currently functional or | |||
// that there's a global address, just that the system would support | |||
// IPv6 if it were on an IPv6 network. | |||
func CheckIPv6(logf logger.Logf) error { | |||
// CheckIPv6 can be overridden in tests. | |||
var CheckIPv6 = func(logf logger.Logf) error { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd prefer this signature remain unchanged and instead add a new unexported package-level func that, if non-nil, is used inside the body, like:
var checkIPv6ForTest func(logger.Logf) error // non-nil in some tests
func CheckIPv6(logf logger.Logf) error {
if f := checkIPv6ForTest; f != nil {
return f(logf)
}
....
Then use tstest.Replace to set it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh that's really nice
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM after addressing brads comment about using tstest.Replace in tests with a package private var.
Signed-off-by: Irbe Krumina <irbe@tailscale.com>
* util/linuxfw: fix IPv6 NAT availability check for nftables When running firewall in nftables mode, there is no need for a separate NAT availability check (unlike with iptables, there are no hosts that support nftables, but not IPv6 NAT - see #11353). This change fixes a firewall NAT availability check that was using the no-longer set ipv6NATAvailable field by removing the field and using a method that, for nftables, just checks that IPv6 is available. Updates #12008 Signed-off-by: Irbe Krumina <irbe@tailscale.com> (cherry picked from commit 7ef2f72)
* util/linuxfw: fix IPv6 NAT availability check for nftables When running firewall in nftables mode, there is no need for a separate NAT availability check (unlike with iptables, there are no hosts that support nftables, but not IPv6 NAT - see #11353). This change fixes a firewall NAT availability check that was using the no-longer set ipv6NATAvailable field by removing the field and using a method that, for nftables, just checks that IPv6 is available. Updates #12008 Signed-off-by: Irbe Krumina <irbe@tailscale.com> (cherry picked from commit 7ef2f72)
See #11353 for context- this change fixes a firewall NAT availability check that was using the no-longer set ipv6NATAvailable field by removing the field and using a method that, for nftables, just checks that IPv6 is available.
When running firewall in nftables mode,
there is no need for a separate NAT availability check (unlike with iptables, there are no hosts that support nftables, but not IPv6 NAT - see #11353).
I have tested that with this change the IPv6 NAT table gets created as expected:
/ # nft list ruleset table ip filter { chain FORWARD { type filter hook forward priority filter; policy accept; counter packets 0 bytes 0 jump ts-forward }
}
table ip nat {
chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
counter packets 46 bytes 6233 jump ts-postrouting
}
}
table ip6 filter {
chain FORWARD {
type filter hook forward priority filter; policy accept;
counter packets 28 bytes 23435 jump ts-forward
}
}
table ip6 nat {
chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
counter packets 28 bytes 2540 jump ts-postrouting
}
}
Also updated tests to test the amount of chains/tables created depending on whether the IPv6 check errors out or not- that would have caught this bug.
Updates #12008