mirror of
https://github.com/qdm12/gluetun.git
synced 2026-05-09 20:29:23 +02:00
only use kernel modules error as context to an actual error, not as a requirement since some systems don't show what they support reliably
This commit is contained in:
Quentin McGaw
@@ -141,13 +141,14 @@ func (c *Config) AcceptOutputThroughInterface(ctx context.Context, intf string,
|
|||||||
}
|
}
|
||||||
|
|
||||||
func (c *Config) AcceptEstablishedRelatedTraffic(ctx context.Context) error {
|
func (c *Config) AcceptEstablishedRelatedTraffic(ctx context.Context) error {
|
||||||
if !c.modules.nfConntrack.ok {
|
err := c.runMixedIptablesInstructions(ctx, []string{
|
||||||
return fmt.Errorf("%w: %s", ErrKernelModuleMissing, c.modules.nfConntrack.name)
|
|
||||||
}
|
|
||||||
return c.runMixedIptablesInstructions(ctx, []string{
|
|
||||||
"--append OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT",
|
"--append OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT",
|
||||||
"--append INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT",
|
"--append INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT",
|
||||||
})
|
})
|
||||||
|
if err != nil && !c.modules.nfConntrack.ok {
|
||||||
|
return fmt.Errorf("%w: %s", ErrKernelModuleMissing, c.modules.nfConntrack.name)
|
||||||
|
}
|
||||||
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
// AcceptOutputPublicOnlyNewTraffic adds rules to mark new output connections, and to accept
|
// AcceptOutputPublicOnlyNewTraffic adds rules to mark new output connections, and to accept
|
||||||
@@ -157,11 +158,6 @@ func (c *Config) AcceptEstablishedRelatedTraffic(ctx context.Context) error {
|
|||||||
// If the relevant kernel modules (nf_conntrack, xt_conntrack and xt_connmark)
|
// If the relevant kernel modules (nf_conntrack, xt_conntrack and xt_connmark)
|
||||||
// are not available, it returns an error indicating which kernel module is missing.
|
// are not available, it returns an error indicating which kernel module is missing.
|
||||||
func (c *Config) AcceptOutputPublicOnlyNewTraffic(ctx context.Context) error {
|
func (c *Config) AcceptOutputPublicOnlyNewTraffic(ctx context.Context) error {
|
||||||
err := checkKernelModulesAreOK(c.modules.nfConntrack, c.modules.xtConntrack, c.modules.xtConnmark)
|
|
||||||
if err != nil {
|
|
||||||
return fmt.Errorf("checking kernel modules: %w", err)
|
|
||||||
}
|
|
||||||
|
|
||||||
ipv4Instructions, ipv6Instructions := makeCreatePublicIPChainInstructions()
|
ipv4Instructions, ipv6Instructions := makeCreatePublicIPChainInstructions()
|
||||||
appendToBoth := func(instruction string) {
|
appendToBoth := func(instruction string) {
|
||||||
ipv4Instructions = append(ipv4Instructions, instruction)
|
ipv4Instructions = append(ipv4Instructions, instruction)
|
||||||
@@ -188,16 +184,26 @@ func (c *Config) AcceptOutputPublicOnlyNewTraffic(ctx context.Context) error {
|
|||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
kernelErr := checkKernelModulesAreOK(c.modules.nfConntrack,
|
||||||
|
c.modules.xtConntrack, c.modules.xtConnmark)
|
||||||
|
|
||||||
err = c.runIptablesInstructionsNoSave(ctx, ipv4Instructions)
|
err = c.runIptablesInstructionsNoSave(ctx, ipv4Instructions)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
restore(ctx)
|
restore(ctx)
|
||||||
|
if strings.Contains(err.Error(), "support") && kernelErr != nil {
|
||||||
|
err = fmt.Errorf("%w: %w", err, kernelErr)
|
||||||
|
}
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
err = c.runIP6tablesInstructionsNoSave(ctx, ipv6Instructions)
|
err = c.runIP6tablesInstructionsNoSave(ctx, ipv6Instructions)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
restore(ctx)
|
restore(ctx)
|
||||||
|
if strings.Contains(err.Error(), "support") && kernelErr != nil {
|
||||||
|
err = fmt.Errorf("%w: %w", err, kernelErr)
|
||||||
|
}
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -211,11 +217,6 @@ func (c *Config) RejectOutputPublicTraffic(ctx context.Context, remove bool) err
|
|||||||
return c.runMixedIptablesInstructions(ctx, removeInstructions)
|
return c.runMixedIptablesInstructions(ctx, removeInstructions)
|
||||||
}
|
}
|
||||||
|
|
||||||
err := checkKernelModulesAreOK(c.modules.nfConntrack, c.modules.nfRejectIPv4, c.modules.xtReject)
|
|
||||||
if err != nil {
|
|
||||||
return fmt.Errorf("checking kernel modules: %w", err)
|
|
||||||
}
|
|
||||||
|
|
||||||
ipv4Instructions, ipv6Instructions := makeCreatePublicIPChainInstructions()
|
ipv4Instructions, ipv6Instructions := makeCreatePublicIPChainInstructions()
|
||||||
appendToBoth := func(instruction string) {
|
appendToBoth := func(instruction string) {
|
||||||
ipv4Instructions = append(ipv4Instructions, instruction)
|
ipv4Instructions = append(ipv4Instructions, instruction)
|
||||||
@@ -229,15 +230,26 @@ func (c *Config) RejectOutputPublicTraffic(ctx context.Context, remove bool) err
|
|||||||
"-j REJECT --reject-with tcp-reset")
|
"-j REJECT --reject-with tcp-reset")
|
||||||
appendToBoth("-I OUTPUT -j PUBLIC_ONLY")
|
appendToBoth("-I OUTPUT -j PUBLIC_ONLY")
|
||||||
|
|
||||||
err = c.runIptablesInstructions(ctx, ipv4Instructions)
|
kernelErr := checkKernelModulesAreOK(c.modules.nfConntrack,
|
||||||
|
c.modules.nfRejectIPv4, c.modules.xtReject)
|
||||||
|
|
||||||
|
err := c.runIptablesInstructions(ctx, ipv4Instructions)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
if strings.Contains(err.Error(), "support") && kernelErr != nil {
|
||||||
|
err = fmt.Errorf("%w: %w", err, kernelErr)
|
||||||
|
}
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
err = c.runIP6tablesInstructions(ctx, ipv6Instructions)
|
err = c.runIP6tablesInstructions(ctx, ipv6Instructions)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
_ = c.runIptablesInstructions(ctx, removeInstructions)
|
_ = c.runIptablesInstructions(ctx, removeInstructions)
|
||||||
|
if strings.Contains(err.Error(), "support") && kernelErr != nil {
|
||||||
|
err = fmt.Errorf("%w: %w", err, kernelErr)
|
||||||
|
}
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -12,12 +12,11 @@ import (
|
|||||||
var ErrConntrackNetlinkNotSupported = errors.New("nf_conntrack_netlink is not supported by the kernel")
|
var ErrConntrackNetlinkNotSupported = errors.New("nf_conntrack_netlink is not supported by the kernel")
|
||||||
|
|
||||||
func (n *NetLink) FlushConntrack() error {
|
func (n *NetLink) FlushConntrack() error {
|
||||||
if !n.conntrackNetlink {
|
|
||||||
return fmt.Errorf("%w", ErrConntrackNetlinkNotSupported)
|
|
||||||
}
|
|
||||||
|
|
||||||
conn, err := netfilter.Dial(nil)
|
conn, err := netfilter.Dial(nil)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
if !n.conntrackNetlink {
|
||||||
|
err = fmt.Errorf("%w: %w", err, ErrConntrackNetlinkNotSupported)
|
||||||
|
}
|
||||||
return fmt.Errorf("dialing netfilter: %w", err)
|
return fmt.Errorf("dialing netfilter: %w", err)
|
||||||
}
|
}
|
||||||
defer conn.Close()
|
defer conn.Close()
|
||||||
@@ -36,6 +35,9 @@ func (n *NetLink) FlushConntrack() error {
|
|||||||
|
|
||||||
_, err = conn.Query(request)
|
_, err = conn.Query(request)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
if !n.conntrackNetlink {
|
||||||
|
err = fmt.Errorf("%w: %w", err, ErrConntrackNetlinkNotSupported)
|
||||||
|
}
|
||||||
return fmt.Errorf("querying netlink request: %w", err)
|
return fmt.Errorf("querying netlink request: %w", err)
|
||||||
}
|
}
|
||||||
return nil
|
return nil
|
||||||
|
|||||||
Reference in New Issue
Block a user