You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
tailscale/util/linuxfw
Maisem Ali c3a8e63100 util/linuxfw: add additional nftable detection logic
We were previously using the netlink API to see if there are chains/rules that
already exist. This works fine in environments where there is either full
nftable support or no support at all. However, we have identified certain
environments which have partial nftable support and the only feasible way of
detecting such an environment is to try to create some of the chains that we
need.

This adds a check to create a dummy postrouting chain which is immediately
deleted. The goal of the check is to ensure we are able to use nftables and
that it won't error out later. This check is only done in the path where we
detected that the system has no preexisting nftable rules.

Updates #5621
Updates #8555
Updates #8762

Signed-off-by: Maisem Ali <maisem@tailscale.com>
1 year ago
..
linuxfwtest util/linuxfw: initial implementation of package 2 years ago
detector.go util/linuxfw: move detection logic 1 year ago
fake.go util/linuxfw: move fake runner into pkg 1 year ago
helpers.go util/linuxfw: initial implementation of package 2 years ago
iptables.go util/linuxfw: move detection logic 1 year ago
iptables_runner.go cmd/containerboot: use linuxfw.NetfilterRunner 1 year ago
iptables_runner_test.go util/linuxfw: move fake runner into pkg 1 year ago
linuxfw.go util/linuxfw: rename ErrorFWModeNotSupported 1 year ago
linuxfw_unsupported.go util/linuxfw: move detection logic 1 year ago
nftables.go util/linuxfw: add additional nftable detection logic 1 year ago
nftables_runner.go util/linuxfw: add additional nftable detection logic 1 year ago
nftables_runner_test.go util/linuxfw: add additional nftable detection logic 1 year ago
nftables_types.go util/linuxfw: add new arch build constraints 1 year ago