starred/netbird
1
0
Fork 0
mirror of https://github.com/netbirdio/netbird.git synced 2026-03-31 06:34:14 -04:00
Code Issues Packages Projects Releases Wiki Activity

[client] Make raw table initialization non-fatal in firewall managers (#5621)

Browse Source
This commit is contained in:
Viktor Liu
2026-03-20 00:33:38 +08:00
committed by GitHub
parent 5ffaa5cdd6
commit b9462f5c6b
2 changed files with 15 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
client/firewall/iptables/manager_linux.go
View File

@@ -23,9 +23,10 @@ type Manager struct {
wgIface iFaceMapper wgIface iFaceMapper
ipv4Client *iptables.IPTables ipv4Client *iptables.IPTables
aclMgr *aclManager aclMgr *aclManager
router *router router *router
rawSupported bool
} }
// iFaceMapper defines subset methods of interface required for manager // iFaceMapper defines subset methods of interface required for manager
@@ -84,7 +85,7 @@ func (m *Manager) Init(stateManager *statemanager.Manager) error {
} }
if err := m.initNoTrackChain(); err != nil { if err := m.initNoTrackChain(); err != nil {
return fmt.Errorf("init notrack chain: %w", err) log.Warnf("raw table not available, notrack rules will be disabled: %v", err)
} }
// persist early to ensure cleanup of chains // persist early to ensure cleanup of chains
@@ -318,6 +319,10 @@ func (m *Manager) SetupEBPFProxyNoTrack(proxyPort, wgPort uint16) error {
m.mutex.Lock() m.mutex.Lock()
defer m.mutex.Unlock() defer m.mutex.Unlock()
if !m.rawSupported {
return fmt.Errorf("raw table not available")
}
wgPortStr := fmt.Sprintf("%d", wgPort) wgPortStr := fmt.Sprintf("%d", wgPort)
proxyPortStr := fmt.Sprintf("%d", proxyPort) proxyPortStr := fmt.Sprintf("%d", proxyPort)
@@ -375,12 +380,16 @@ func (m *Manager) initNoTrackChain() error {
return fmt.Errorf("add prerouting jump rule: %w", err) return fmt.Errorf("add prerouting jump rule: %w", err)
} }
m.rawSupported = true
return nil return nil
} }
func (m *Manager) cleanupNoTrackChain() error { func (m *Manager) cleanupNoTrackChain() error {
exists, err := m.ipv4Client.ChainExists(tableRaw, chainNameRaw) exists, err := m.ipv4Client.ChainExists(tableRaw, chainNameRaw)
if err != nil { if err != nil {
if !m.rawSupported {
return nil
}
return fmt.Errorf("check chain exists: %w", err) return fmt.Errorf("check chain exists: %w", err)
} }
if !exists { if !exists {
@@ -401,6 +410,7 @@ func (m *Manager) cleanupNoTrackChain() error {
return fmt.Errorf("clear and delete chain: %w", err) return fmt.Errorf("clear and delete chain: %w", err)
} }
m.rawSupported = false
return nil return nil
} }

2
client/firewall/nftables/manager_linux.go
View File

@@ -95,7 +95,7 @@ func (m *Manager) Init(stateManager *statemanager.Manager) error {
} }
if err := m.initNoTrackChains(workTable); err != nil { if err := m.initNoTrackChains(workTable); err != nil {
return fmt.Errorf("init notrack chains: %w", err) log.Warnf("raw priority chains not available, notrack rules will be disabled: %v", err)
} }
stateManager.RegisterState(&ShutdownState{}) stateManager.RegisterState(&ShutdownState{})