TheArchive/tailscale
1
0
Fork 0
mirror of https://github.com/tailscale/tailscale.git synced 2025-02-16 18:08:40 +00:00
Code Issues Packages Projects Releases Wiki Activity

router_linux: fix behaviour when switching --netfilter-mode.

Browse Source 
On startup, and when switching into =off and =nodivert, we were
deleting netfilter rules even if we weren't the ones that added them.

In order to avoid interfering with rules added by the sysadmin, we have
to be sure to delete rules only in the case that we added them in the
first place.

Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
This commit is contained in:
Avery Pennarun 2020-05-28 05:52:33 -04:00
parent a496cdc943
commit 9ff51909a3
2 changed files with 16 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
cmd/tailscale/tailscale.go
View File

@ -212,10 +212,10 @@ func runUp(ctx context.Context, args []string) error {
prefs.NetfilterMode = router.NetfilterOn
case "nodivert":
prefs.NetfilterMode = router.NetfilterNoDivert
warning("netfilter in nodivert mode, you must add calls to Tailscale netfilter chains manually")
warning("netfilter=nodivert; add iptables calls to ts-* chains manually.")
case "off":
prefs.NetfilterMode = router.NetfilterOff
warning("netfilter management disabled, you must write a secure packet filter yourself")
warning("netfilter=off; configure iptables yourself.")
default:
log.Fatalf("invalid value --netfilter-mode: %q", upArgs.netfilterMode)
}

28
wgengine/router/router_linux.go
View File

@ -106,13 +106,9 @@ func (r *linuxRouter) Up() error {
if err := r.delLegacyNetfilter(); err != nil {
return err
}
if err := r.delNetfilterHooks(); err != nil {
if err := r.setNetfilterMode(NetfilterOff); err != nil {
return err
}
if err := r.delNetfilterBase(); err != nil {
return err
}
if err := r.addBypassRule(); err != nil {
return err
}
@ -130,10 +126,7 @@ func (r *linuxRouter) down() error {
if err := r.delBypassRule(); err != nil {
return err
}
if err := r.delNetfilterHooks(); err != nil {
return err
}
if err := r.delNetfilterBase(); err != nil {
if err := r.setNetfilterMode(NetfilterOff); err != nil {
return err
}
@ -229,11 +222,18 @@ func (r *linuxRouter) setNetfilterMode(mode NetfilterMode) error {
switch mode {
case NetfilterOff:
if err := r.delNetfilterHooks(); err != nil {
return err
}
if err := r.delNetfilterBase(); err != nil {
return err
switch r.netfilterMode {
case NetfilterNoDivert:
if err := r.delNetfilterBase(); err != nil {
return err
}
case NetfilterOn:
if err := r.delNetfilterHooks(); err != nil {
return err
}
if err := r.delNetfilterBase(); err != nil {
return err
}
}
r.snatSubnetRoutes = false
case NetfilterNoDivert: