From 9c914dc7dd37032ab02362767eb6f46df543b305 Mon Sep 17 00:00:00 2001 From: David Anderson Date: Fri, 15 May 2020 06:53:03 +0000 Subject: [PATCH] wgengine/router: stop using -m comment. The comment module is compiled out on several embedded systems (and also gentoo, because netfilter can't go brrrr with comments holding it back). Attempting to use comments results in a confusing error, and a non-functional firewall. Additionally, make the legacy rule cleanup non-fatal, because we *do* have to probe for the existence of these -m comment rules, and doing so will error out on these systems. Signed-off-by: David Anderson --- wgengine/router/router_linux.go | 6 +++--- wgengine/router/router_linux_test.go | 12 ++++++------ 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/wgengine/router/router_linux.go b/wgengine/router/router_linux.go index 1cd24890e..a037b4054 100644 --- a/wgengine/router/router_linux.go +++ b/wgengine/router/router_linux.go @@ -603,7 +603,7 @@ func (r *linuxRouter) addNetfilterBase() error { // // Note, this will definitely break nodes that end up using the // CGNAT range for other purposes :(. - args := []string{"!", "-i", r.tunname, "-s", chromeOSVMRange, "-m", "comment", "--comment", "ChromeOS VM connectivity", "-j", "RETURN"} + args := []string{"!", "-i", r.tunname, "-s", chromeOSVMRange, "-j", "RETURN"} if err := r.ipt4.Append("filter", "ts-input", args...); err != nil { return fmt.Errorf("adding %v in filter/ts-input: %v", args, err) } @@ -811,10 +811,10 @@ func (r *linuxRouter) delLegacyNetfilter() error { } if err := del("filter", "FORWARD", "-m", "comment", "--comment", "tailscale", "-i", r.tunname, "-j", "ACCEPT"); err != nil { - return err + r.logf("failed to delete legacy rule, continuing anyway: %v", err) } if err := del("nat", "POSTROUTING", "-m", "comment", "--comment", "tailscale", "-o", "eth0", "-j", "MASQUERADE"); err != nil { - return err + r.logf("failed to delete legacy rule, continuing anyway: %v", err) } return nil diff --git a/wgengine/router/router_linux_test.go b/wgengine/router/router_linux_test.go index 820e36f4b..9814b5f66 100644 --- a/wgengine/router/router_linux_test.go +++ b/wgengine/router/router_linux_test.go @@ -114,7 +114,7 @@ filter/ts-forward -i tailscale0 -d 200.0.0.0/8 -j MARK --set-mark 0x10000/0x1000 filter/ts-forward -m mark --mark 0x10000/0x10000 -j ACCEPT filter/ts-forward -i tailscale0 -j DROP filter/ts-input -i lo -s 100.101.102.104 -j ACCEPT -filter/ts-input ! -i tailscale0 -s 100.115.92.0/23 -m comment --comment ChromeOS VM connectivity -j RETURN +filter/ts-input ! -i tailscale0 -s 100.115.92.0/23 -j RETURN filter/ts-input ! -i tailscale0 -s 100.64.0.0/10 -j DROP nat/POSTROUTING -j ts-postrouting nat/ts-postrouting -m mark --mark 0x10000/0x10000 -j MASQUERADE @@ -138,7 +138,7 @@ filter/INPUT -j ts-input filter/ts-forward -m mark --mark 0x10000/0x10000 -j ACCEPT filter/ts-forward -i tailscale0 -j DROP filter/ts-input -i lo -s 100.101.102.104 -j ACCEPT -filter/ts-input ! -i tailscale0 -s 100.115.92.0/23 -m comment --comment ChromeOS VM connectivity -j RETURN +filter/ts-input ! -i tailscale0 -s 100.115.92.0/23 -j RETURN filter/ts-input ! -i tailscale0 -s 100.64.0.0/10 -j DROP nat/POSTROUTING -j ts-postrouting `, @@ -166,7 +166,7 @@ filter/ts-forward -i tailscale0 -d 200.0.0.0/8 -j MARK --set-mark 0x10000/0x1000 filter/ts-forward -m mark --mark 0x10000/0x10000 -j ACCEPT filter/ts-forward -i tailscale0 -j DROP filter/ts-input -i lo -s 100.101.102.104 -j ACCEPT -filter/ts-input ! -i tailscale0 -s 100.115.92.0/23 -m comment --comment ChromeOS VM connectivity -j RETURN +filter/ts-input ! -i tailscale0 -s 100.115.92.0/23 -j RETURN filter/ts-input ! -i tailscale0 -s 100.64.0.0/10 -j DROP nat/POSTROUTING -j ts-postrouting `, @@ -189,7 +189,7 @@ filter/INPUT -j ts-input filter/ts-forward -m mark --mark 0x10000/0x10000 -j ACCEPT filter/ts-forward -i tailscale0 -j DROP filter/ts-input -i lo -s 100.101.102.104 -j ACCEPT -filter/ts-input ! -i tailscale0 -s 100.115.92.0/23 -m comment --comment ChromeOS VM connectivity -j RETURN +filter/ts-input ! -i tailscale0 -s 100.115.92.0/23 -j RETURN filter/ts-input ! -i tailscale0 -s 100.64.0.0/10 -j DROP nat/POSTROUTING -j ts-postrouting `, @@ -211,7 +211,7 @@ ip rule add fwmark 0x20000/0x20000 priority 10000 table main suppress_ifgroup 10 filter/ts-forward -m mark --mark 0x10000/0x10000 -j ACCEPT filter/ts-forward -i tailscale0 -j DROP filter/ts-input -i lo -s 100.101.102.104 -j ACCEPT -filter/ts-input ! -i tailscale0 -s 100.115.92.0/23 -m comment --comment ChromeOS VM connectivity -j RETURN +filter/ts-input ! -i tailscale0 -s 100.115.92.0/23 -j RETURN filter/ts-input ! -i tailscale0 -s 100.64.0.0/10 -j DROP `, }, @@ -233,7 +233,7 @@ filter/INPUT -j ts-input filter/ts-forward -m mark --mark 0x10000/0x10000 -j ACCEPT filter/ts-forward -i tailscale0 -j DROP filter/ts-input -i lo -s 100.101.102.104 -j ACCEPT -filter/ts-input ! -i tailscale0 -s 100.115.92.0/23 -m comment --comment ChromeOS VM connectivity -j RETURN +filter/ts-input ! -i tailscale0 -s 100.115.92.0/23 -j RETURN filter/ts-input ! -i tailscale0 -s 100.64.0.0/10 -j DROP nat/POSTROUTING -j ts-postrouting `,