vanja/gluetun
1
0
Fork 0
mirror of https://github.com/qdm12/gluetun.git synced 2026-06-15 07:54:08 +02:00
Code Issues Packages Projects Releases Wiki Activity

hotfix(firewall/iptables): only save stdout from iptables-save, not stderr

Browse Source
This commit is contained in:
Quentin McGaw
2026-05-21 03:50:44 +00:00
parent b119325241
commit 8f012014d6
1 changed files with 39 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
internal/firewall/iptables/atomic.go
+39 -5
View File
@@ -1,6 +1,7 @@
package iptables package iptables
import ( import (
"bufio"
"context" "context"
"fmt" "fmt"
"os/exec" "os/exec"
@@ -41,8 +42,7 @@ func (c *Config) saveAndRestore(ctx context.Context) (restore func(context.Conte
// Callers of saveAndRestoreIPv4 MUST always lock the [Config] iptablesMutex // Callers of saveAndRestoreIPv4 MUST always lock the [Config] iptablesMutex
// before calling this function. // before calling this function.
func (c *Config) saveAndRestoreIPv4(ctx context.Context) (restore func(context.Context), err error) { func (c *Config) saveAndRestoreIPv4(ctx context.Context) (restore func(context.Context), err error) {
cmd := exec.CommandContext(ctx, c.ipTables+"-save") //nolint:gosec data, err := saveData(ctx, c.ipTables)
data, err := c.runner.Run(cmd)
if err != nil { if err != nil {
return nil, fmt.Errorf("saving IPv4 iptables: %w", err) return nil, fmt.Errorf("saving IPv4 iptables: %w", err)
} }
@@ -65,14 +65,13 @@ func (c *Config) saveAndRestoreIPv6(ctx context.Context) (restore func(context.C
return nil, nil //nolint:nilnil return nil, nil //nolint:nilnil
} }
cmd := exec.CommandContext(ctx, c.ip6Tables+"-save") //nolint:gosec data, err := saveData(ctx, c.ip6Tables)
data, err := c.runner.Run(cmd)
if err != nil { if err != nil {
return nil, fmt.Errorf("saving IPv6 iptables: %w", err) return nil, fmt.Errorf("saving IPv6 iptables: %w", err)
} }
restore = func(ctx context.Context) { restore = func(ctx context.Context) {
cmd = exec.CommandContext(ctx, c.ip6Tables+"-restore") //nolint:gosec cmd := exec.CommandContext(ctx, c.ip6Tables+"-restore") //nolint:gosec
cmd.Stdin = strings.NewReader(data) cmd.Stdin = strings.NewReader(data)
output, err := c.runner.Run(cmd) output, err := c.runner.Run(cmd)
if err != nil { if err != nil {
@@ -85,3 +84,38 @@ func (c *Config) saveAndRestoreIPv6(ctx context.Context) (restore func(context.C
func makeRestoreErrorMessage(err error, output, data string) string { func makeRestoreErrorMessage(err error, output, data string) string {
return fmt.Sprintf("%s: %s: restoring from data:\n%s", err, output, data) return fmt.Sprintf("%s: %s: restoring from data:\n%s", err, output, data)
} }
func saveData(ctx context.Context, binary string) (data string, err error) {
cmd := exec.CommandContext(ctx, binary+"-save") //nolint:gosec
output, err := cmd.Output()
if err != nil {
if exitErr, ok := err.(*exec.ExitError); ok {
stderr := strings.TrimSuffix(string(exitErr.Stderr), "\n")
if stderr != "" {
return "", fmt.Errorf("running %s-save: %w: %s", binary, err, stderr)
}
}
return "", fmt.Errorf("running %s-save: %w", binary, err)
}
err = checkData(string(output))
if err != nil {
return "", fmt.Errorf("checking saved data: %w", err)
}
return string(output), nil
}
func checkData(data string) error {
scanner := bufio.NewScanner(strings.NewReader(data))
i := 0
for scanner.Scan() {
line := scanner.Text()
if strings.HasPrefix(line, "[unsupported") {
return fmt.Errorf("unsupported revision marker found in line %d: %s", i+1, line)
}
i++
}
if scanner.Err() != nil {
return fmt.Errorf("scanning data: %w", scanner.Err())
}
return nil
}