ipn: plumb NetfilterMode all the way out to the CLI.

Signed-off-by: David Anderson <danderson@tailscale.com>
2025-10-10 09:45:08 +00:00 · 2020-05-15 02:07:06 +00:00
parent c67c8913c3
commit 0fe262f093
7 changed files with 89 additions and 61 deletions
--- a/wgengine/router/router.go
+++ b/wgengine/router/router.go
@@ -35,6 +35,8 @@ func New(logf logger.Logf, wgdev *device.Device, tundev tun.Device) (Router, err
 	return newUserspaceRouter(logf, wgdev, tundev)
 }

+// NetfilterMode is the firewall management mode to use when
+// programming the Linux network stack.
 type NetfilterMode int

 const (
@@ -43,6 +45,19 @@ const (
 	NetfilterOn                            // manage tailscale chains and call them from main chains
 )

+func (m NetfilterMode) String() string {
+	switch m {
+	case NetfilterOff:
+		return "off"
+	case NetfilterNoDivert:
+		return "nodivert"
+	case NetfilterOn:
+		return "on"
+	default:
+		return "???"
+	}
+}
+
 // Config is the subset of Tailscale configuration that is relevant to
 // the OS's network stack.
 type Config struct {
--- a/wgengine/router/router_linux.go
+++ b/wgengine/router/router_linux.go
@@ -718,6 +718,24 @@ func (r *linuxRouter) delNetfilterHooks() error {
 	del := func(table, chain string) error {
 		tsChain := tsChain(chain)

+		chains, err := r.ipt4.ListChains(table)
+		if err != nil {
+			return fmt.Errorf("listing iptables chains: %v", err)
+		}
+		found := false
+		for _, chain := range chains {
+			if chain == tsChain {
+				found = true
+				break
+			}
+		}
+		if !found {
+			// The divert rule can't exist if the chain doesn't exist,
+			// and querying for a jump to a non-existent chain errors
+			// out.
+			return nil
+		}
+
 		args := []string{"-j", tsChain}
 		exists, err := r.ipt4.Exists(table, chain, args...)
 		if err != nil {
--- a/wgengine/router/router_linux_test.go
+++ b/wgengine/router/router_linux_test.go
@@ -49,7 +49,8 @@ ip rule add fwmark 0x20000/0x20000 priority 10000 table main suppress_ifgroup 10
 		{
 			name: "local addr only",
 			in: &Config{
-				LocalAddrs: mustCIDRs("100.101.102.103/10"),
+				LocalAddrs:    mustCIDRs("100.101.102.103/10"),
+				NetfilterMode: NetfilterOff,
 			},
 			want: `
 up
@@ -61,8 +62,9 @@ ip rule add fwmark 0x20000/0x20000 priority 10000 table main suppress_ifgroup 10
 		{
 			name: "addr and routes",
 			in: &Config{
-				LocalAddrs: mustCIDRs("100.101.102.103/10"),
-				Routes:     mustCIDRs("100.100.100.100/32", "192.168.16.0/24"),
+				LocalAddrs:    mustCIDRs("100.101.102.103/10"),
+				Routes:        mustCIDRs("100.100.100.100/32", "192.168.16.0/24"),
+				NetfilterMode: NetfilterOff,
 			},
 			want: `
 up
@@ -76,9 +78,10 @@ ip rule add fwmark 0x20000/0x20000 priority 10000 table main suppress_ifgroup 10
 		{
 			name: "addr and routes and subnet routes",
 			in: &Config{
-				LocalAddrs:   mustCIDRs("100.101.102.103/10"),
-				Routes:       mustCIDRs("100.100.100.100/32", "192.168.16.0/24"),
-				SubnetRoutes: mustCIDRs("200.0.0.0/8"),
+				LocalAddrs:    mustCIDRs("100.101.102.103/10"),
+				Routes:        mustCIDRs("100.100.100.100/32", "192.168.16.0/24"),
+				SubnetRoutes:  mustCIDRs("200.0.0.0/8"),
+				NetfilterMode: NetfilterOff,
 			},
 			want: `
 up