util/linuxfw: initial implementation of package

This package is an initial implementation of something that can read netfilter and iptables rules from the Linux kernel without needing to shell out to an external utility; it speaks directly to the kernel using syscalls and parses the data returned. Currently this is read-only since it only knows how to parse a subset of the available data. Signed-off-by: Andrew Dunham <andrew@tailscale.com> Change-Id: Iccadf5dcc081b73268d8ccf8884c24eb6a6f1ff5
2025-08-13 06:07:34 +00:00 · 2022-08-24 00:00:06 -04:00
parent 3c107ff301
commit ba48ec5e39
11 changed files with 1347 additions and 7 deletions
--- a/util/linuxfw/linuxfw_unsupported.go
+++ b/util/linuxfw/linuxfw_unsupported.go
@@ -0,0 +1,33 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+// NOTE: linux_386 and linux_loong64 are currently unsupported due to missing
+// support in upstream dependencies.
+
+//go:build !linux || (linux && (386 || loong64))
+
+package linuxfw
+
+import (
+	"tailscale.com/types/logger"
+)
+
+// DebugNetfilter is not supported on non-Linux platforms.
+func DebugNetfilter(logf logger.Logf) error {
+	return ErrUnsupported
+}
+
+// DetectNetfilter is not supported on non-Linux platforms.
+func DetectNetfilter() (int, error) {
+	return 0, ErrUnsupported
+}
+
+// DebugIptables is not supported on non-Linux platforms.
+func DebugIptables(logf logger.Logf) error {
+	return ErrUnsupported
+}
+
+// DetectIptables is not supported on non-Linux platforms.
+func DetectIptables() (int, error) {
+	return 0, ErrUnsupported
+}