From a917718353e6db0c5cd5f7098e5b88bbd7760b23 Mon Sep 17 00:00:00 2001 From: Maisem Ali Date: Sat, 3 Aug 2024 08:26:12 -0700 Subject: [PATCH] util/linuxfw: return nil interface not concrete type It was returning a nil `*iptablesRunner` instead of a nil `NetfilterRunner` interface which would then fail checks later. Fixes #13012 Signed-off-by: Maisem Ali --- util/linuxfw/nftables_runner.go | 18 ++++++++++++++++-- wgengine/userspace.go | 2 +- 2 files changed, 17 insertions(+), 3 deletions(-) diff --git a/util/linuxfw/nftables_runner.go b/util/linuxfw/nftables_runner.go index 3b3a329e3..317d84c12 100644 --- a/util/linuxfw/nftables_runner.go +++ b/util/linuxfw/nftables_runner.go @@ -592,9 +592,23 @@ func New(logf logger.Logf, prefHint string) (NetfilterRunner, error) { mode := detectFirewallMode(logf, prefHint) switch mode { case FirewallModeIPTables: - return newIPTablesRunner(logf) + // Note that we don't simply return an newIPTablesRunner here because it + // would return a `nil` iptablesRunner which is different from returning + // a nil NetfilterRunner. + ipr, err := newIPTablesRunner(logf) + if err != nil { + return nil, err + } + return ipr, nil case FirewallModeNfTables: - return newNfTablesRunner(logf) + // Note that we don't simply return an newNfTablesRunner here because it + // would return a `nil` nftablesRunner which is different from returning + // a nil NetfilterRunner. + nfr, err := newNfTablesRunner(logf) + if err != nil { + return nil, err + } + return nfr, nil default: return nil, fmt.Errorf("unknown firewall mode %v", mode) } diff --git a/wgengine/userspace.go b/wgengine/userspace.go index 6399476c8..1a3c7637f 100644 --- a/wgengine/userspace.go +++ b/wgengine/userspace.go @@ -374,7 +374,7 @@ func NewUserspaceEngine(logf logger.Logf, conf Config) (_ Engine, reterr error) e.logf("onPortUpdate(port=%v, network=%s)", port, network) if err := e.router.UpdateMagicsockPort(port, network); err != nil { - e.logf("UpdateMagicsockPort(port=%v, network=%s) failed: %w", port, network, err) + e.logf("UpdateMagicsockPort(port=%v, network=%s) failed: %v", port, network, err) } } magicsockOpts := magicsock.Options{