You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
tailscale/util/linuxfw
Irbe Krumina 9bd158cc09
cmd/containerboot,util/linuxfw: create a SNAT rule for dst/src only once, clean up if needed (#13658)
The AddSNATRuleForDst rule was adding a new rule each time it was called including:
- if a rule already existed
- if a rule matching the destination, but with different desired source already existed

This was causing issues especially for the in-progress egress HA proxies work,
where the rules are now refreshed more frequently, so more redundant rules
were being created.

This change:
- only creates the rule if it doesn't already exist
- if a rule for the same dst, but different source is found, delete it
- also ensures that egress proxies refresh firewall rules
if the node's tailnet IP changes

Updates tailscale/tailscale#13406

Signed-off-by: Irbe Krumina <irbe@tailscale.com>
4 weeks ago
..
linuxfwtest util/linuxfw: initial implementation of package 2 years ago
detector.go util/linuxfw: fall back to nftables when iptables not found 2 months ago
fake.go cmd/containerboot,cmd/k8s-operator: enable IPv6 for fqdn egress proxies (#12577) 4 months ago
helpers.go util/slicesx: add FirstElementEqual and LastElementEqual 2 months ago
iptables.go util/linuxfw: fall back to nftables when iptables not found 2 months ago
iptables_for_svcs.go cmd/containerboot,kube,util/linuxfw: configure kube egress proxies to route to 1+ tailnet targets (#13531) 1 month ago
iptables_for_svcs_test.go cmd/containerboot,kube,util/linuxfw: configure kube egress proxies to route to 1+ tailnet targets (#13531) 1 month ago
iptables_runner.go cmd/containerboot,util/linuxfw: create a SNAT rule for dst/src only once, clean up if needed (#13658) 4 weeks ago
iptables_runner_test.go cmd/containerboot,util/linuxfw: create a SNAT rule for dst/src only once, clean up if needed (#13658) 4 weeks ago
linuxfw.go all: add test for package comments, fix, add comments as needed 4 months ago
linuxfw_unsupported.go all: cleanup unused code, part 2 (#10670) 11 months ago
nftables.go util/cmpx: delete now that we're using Go 1.22 9 months ago
nftables_for_svcs.go cmd/containerboot,kube,util/linuxfw: configure kube egress proxies to route to 1+ tailnet targets (#13531) 1 month ago
nftables_for_svcs_test.go cmd/containerboot,util/linuxfw: create a SNAT rule for dst/src only once, clean up if needed (#13658) 4 weeks ago
nftables_runner.go cmd/containerboot,util/linuxfw: create a SNAT rule for dst/src only once, clean up if needed (#13658) 4 weeks ago
nftables_runner_test.go cmd/containerboot,util/linuxfw: create a SNAT rule for dst/src only once, clean up if needed (#13658) 4 weeks ago
nftables_types.go util/linuxfw: add new arch build constraints 1 year ago