Fallback to accepting only NEW output public traffic if conntrack netlink isn't supported

internal/firewall/iptables/parse.go

@@ -9,9 +9,19 @@ import (
 	"strings"
 )
 
+type operation uint8
+
+const (
+	opNone operation = iota
+	opAppend
+	opDelete
+	opInsert
+	opReplace
+)
+
 type iptablesInstruction struct {
 	table           string // defaults to "filter", and can be "nat" for example.
-	append          bool
+	operation       operation
 	chain           string       // for example INPUT, PREROUTING. Cannot be empty.
 	target          string       // for example ACCEPT. Can be empty.
 	protocol        string       // "tcp" or "udp" or "" for all protocols.
@@ -25,6 +35,8 @@ type iptablesInstruction struct {
 	ctstate         []string     // if empty, there is no ctstate
 	tcpFlags        tcpFlags
 	mark            mark
+	connMark        mark
+	setMark         uint // only used for jump CONNMARK --set-mark
 }
 
 func (i *iptablesInstruction) setDefaults() {
@@ -65,6 +77,10 @@ func (i *iptablesInstruction) equalToRule(table, chain string, rule chainRule) (
 		return false
 	case i.mark != rule.mark:
 		return false
+	case i.connMark != rule.connMark:
+		return false
+	case i.setMark != rule.setMark:
+		return false
 	default:
 		return true
 	}
@@ -113,13 +129,20 @@ func parseInstructionFlag(fields []string, instruction *iptablesInstruction) (co
 	case "-t", "--table":
 		instruction.table = value
 	case "-D", "--delete":
-		instruction.append = false
+		instruction.operation = opDelete
 		instruction.chain = value
 	case "-A", "--append":
-		instruction.append = true
+		instruction.operation = opAppend
+		instruction.chain = value
+	case "-I", "--insert":
+		instruction.operation = opInsert
 		instruction.chain = value
 	case "-j", "--jump":
-		instruction.target = value
+		subConsumed, err := parseJumpFlag(fields[1:], instruction)
+		if err != nil {
+			return 0, fmt.Errorf("parsing jump flag: %w", err)
+		}
+		consumed += subConsumed
 	case "-p", "--protocol":
 		instruction.protocol = value
 	case "-m", "--match":
@@ -128,13 +151,11 @@ func parseInstructionFlag(fields []string, instruction *iptablesInstruction) (co
 			return 0, fmt.Errorf("parsing match module: %w", err)
 		}
 	case "--mark":
-		const base = 0 // auto-detect
-		const bits = 32
-		value, err := strconv.ParseUint(value, base, bits)
+		n, err := parseAny32bNumber(value)
 		if err != nil {
-			return 0, fmt.Errorf("parsing mark value %q: %w", fields[2], err)
+			return 0, fmt.Errorf("parsing mark value %q: %w", value, err)
 		}
-		instruction.mark.value = uint(value)
+		instruction.mark.value = n
 	case "-i", "--in-interface":
 		instruction.inputInterface = value
 	case "-o", "--out-interface":
@@ -182,7 +203,7 @@ func preCheckInstructionFields(fields []string) (consumed int, err error) {
 	flag := fields[0]
 	// All flags use one value after the flag, except the following:
 	switch flag {
-	case "--tcp-flags": // -m can have 1 or 2 values
+	case "--tcp-flags":
 		const expected = 3
 		if len(fields) < expected {
 			return 0, fmt.Errorf("%w: flag %q requires at least 2 values, but got %s",
@@ -199,6 +220,34 @@ func preCheckInstructionFields(fields []string) (consumed int, err error) {
 	}
 }
 
+func parseJumpFlag(fields []string, instruction *iptablesInstruction) (consumed int, err error) {
+	instruction.target = fields[0]
+	// consumed in the caller already takes fields[0] into account
+	if instruction.target != "CONNMARK" {
+		return consumed, nil
+	}
+	// consumed already accounts for the "CONNMARK" value
+	const expectedFields = 3
+	if len(fields) < expectedFields {
+		return 0, fmt.Errorf("%w: jump CONNMARK requires at least two additional values",
+			ErrIptablesCommandMalformed)
+	}
+	switch fields[1] {
+	case "--set-mark":
+		n, err := parseAny32bNumber(fields[2])
+		if err != nil {
+			return 0, fmt.Errorf("parsing connmark mark value %q: %w", fields[2], err)
+		}
+		consumed++
+		instruction.setMark = n
+	default:
+		return consumed, fmt.Errorf("%w: unsupported jump CONNMARK with value: %s",
+			ErrIptablesCommandMalformed, fields[1])
+	}
+	consumed++
+	return consumed, nil
+}
+
 func parseIPPrefix(value string) (prefix netip.Prefix, err error) {
 	slashIndex := strings.Index(value, "/")
 	if slashIndex >= 0 {
@@ -221,6 +270,13 @@ func parsePort(value string) (port uint16, err error) {
 	return uint16(portValue), nil
 }
 
+func parseAny32bNumber(mark string) (value uint, err error) {
+	const base = 0 // auto-detect
+	const bits = 32
+	n, err := strconv.ParseUint(mark, base, bits)
+	return uint(n), err
+}
+
 func parseMatchModule(fields []string, instruction *iptablesInstruction) (
 	consumed int, err error,
 ) {
@@ -234,14 +290,30 @@ func parseMatchModule(fields []string, instruction *iptablesInstruction) (
 		// parse it twice.
 	case "mark":
 		consumed++
-		switch fields[consumed] {
-		case "!":
+		switch {
+		case len(fields[consumed:]) == 0 || strings.HasPrefix(fields[consumed], "-"):
+			// end or another flag
+			return consumed, nil
+		case fields[consumed] == "!":
 			consumed++
 			instruction.mark.invert = true
 		default:
 			return consumed, fmt.Errorf("%w: unsupported match mark with value: %s",
 				ErrIptablesCommandMalformed, fields[2])
 		}
+	case "connmark":
+		consumed++
+		switch {
+		case len(fields[consumed:]) == 0 || strings.HasPrefix(fields[consumed], "-"):
+			// end or another flag
+			return consumed, nil
+		case fields[consumed] == "!":
+			consumed++
+			instruction.connMark.invert = true
+		default:
+			return consumed, fmt.Errorf("%w: unsupported match connmark with value: %s",
+				ErrIptablesCommandMalformed, fields[2])
+		}
 	default:
 		return 0, fmt.Errorf("%w: unknown match value: %s",
 			ErrIptablesCommandMalformed, fields[consumed])