TheArchive/tailscale
1
0
Fork 0
mirror of https://github.com/tailscale/tailscale.git synced 2025-08-11 21:27:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

util/linuxfw: add nftables support

Browse Source 
This commit adds nftable rule injection for tailscaled. If tailscaled is
started with envknob TS_DEBUG_USE_NETLINK_NFTABLES = true, the router
will use nftables to manage firewall rules.

Updates: #391

Signed-off-by: KevinLiang10 <kevinliang@tailscale.com>
This commit is contained in:
KevinLiang10
2023-06-19 20:05:14 +00:00
committed by KevinLiang10
parent abcb7ec1ce
commit a3c7b21cd1
7 changed files with 1833 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
wgengine/router/router_linux_test.go
View File

@@ -453,18 +453,18 @@ func (n *fakeIPTablesRunner) AddLoopbackRule(addr netip.Addr) error {
}
func (n *fakeIPTablesRunner) AddBase(tunname string) error {
if err := n.AddBase4(tunname); err != nil {
if err := n.addBase4(tunname); err != nil {
return err
}
if n.HasIPV6() {
if err := n.AddBase6(tunname); err != nil {
if err := n.addBase6(tunname); err != nil {
return err
}
}
return nil
}
func (n *fakeIPTablesRunner) AddBase4(tunname string) error {
func (n *fakeIPTablesRunner) addBase4(tunname string) error {
curIPT := n.ipt4
newRules := []struct{ chain, rule string }{
{"filter/ts-input", fmt.Sprintf("! -i %s -s %s -j RETURN", tunname, tsaddr.ChromeOSVMRange().String())},
@@ -482,7 +482,7 @@ func (n *fakeIPTablesRunner) AddBase4(tunname string) error {
return nil
}
func (n *fakeIPTablesRunner) AddBase6(tunname string) error {
func (n *fakeIPTablesRunner) addBase6(tunname string) error {
curIPT := n.ipt6
newRules := []struct{ chain, rule string }{
{"filter/ts-forward", fmt.Sprintf("-i %s -j MARK --set-mark %s/%s", tunname, linuxfw.TailscaleSubnetRouteMark, linuxfw.TailscaleFwmarkMask)},